Key Recovery, Universal Forgery, and Committing Attacks against Revised Rocca: How Finalization Affects Security

. This paper examines the security of Rocca, an authenticated encryption algorithm designed for Beyond 5G/6G contexts. Rocca has been revised multiple times in the initialization and finalization for security reasons. In this paper, we study how the choice of the finalization affects the overall security of Rocca, covering key recovery, universal forgery, and committing attacks. We show a key-recovery attack faster than the exhaustive key search if a linear key mixing is used in the finalization. We also consider the ideally secure keyed finalization, which prevents key-recovery attacks. We show that, in the nonce-misuse setting, this does not prevent universal forgery with a practical data complexity, although the time complexity is high. Our result on committing attacks shows that none of the versions of Rocca considered in this paper is secure. We complete our analysis by presenting a concrete example of colliding inputs against the designers’ latest version of Rocca in the FROB setting, a strong notion of the committing security. Our analysis significantly improves the key committing attack against Rocca shown in ToSC 2024(1)/FSE 2024.


Introduction
Background.In the era of digitalization, with the rapid exchange of vast data volumes, the advent of Beyond 5G/6G necessitates an encryption scheme that is both efficient and secure.To realize such schemes, leveraging the AES [AES01] round function is a promising approach since modern CPUs have AES-NI [Gue10] instruction set to accelerate the encryption with the block cipher AES.Ciphers like AEGIS [WP13] and Tiaoxin-346 [Nik14] are examples employing SIMD instructions and the AES round function.Further efficiency improvement is observed in the round function identified by Jean and Nikolić [JN16], outperforming AEGIS and Tiaoxin-346.Rocca [SLN + 21], as introduced by Sakamoto et al. in ToSC 2021(2)/FSE 2022, stands out as an authenticated encryption designed for Beyond 5G/6G contexts.It also leverages the AES round function and achieves promising speed and security.
Rocca is a nonce-based authenticated encryption with associated data (AEAD) scheme, i.e., it provides both privacy and authenticity of messages, and authenticity of associated data, with the use of a nonce.A nonce is a non-repeating value that is used to securely encrypt multiple messages, and the use of a nonce has critical importance in its security.Yet, its implementation, as evidenced in systems like WPA [VP17] and VoLTE [RKHP20], reveals challenges, with instances of nonce repetition documented, highlighting a significant security concern. .They first showed a state-recovery attack that recovers the internal state of Rocca and works practically in the nonce-misuse setting, in which the attacker can repeat using the same nonce multiple times.In the nonce-respecting setting, the state-recovery attack works by making 2 128 decryption queries.Once the internal state is recovered, the structure of Rocca allows the attacker to recover the secret key.Rocca has a key of 256 bits, and this breaks the designers' security claim regarding key recovery.Hosoyamada et al. also suggested countermeasures, and one of them is to XOR the key at the end of the initialization and at the beginning of the finalization.To make it distinct from the original Rocca, we call the original version Rocca-v1, and the version by Hosoyamada et al.Rocca-v2.The countermeasure of Rocca-v2 cannot prevent the state-recovery attack itself.However, XORing the key at the end of the initialization counters the trivial key-recovery attack after the state-recovery attack.XORing the key at the beginning of the finalization counters the practical universal forgery attack after the state-recovery attack.
In response to Hosoyamada et al.'s attack, the designers of Rocca updated the ePrint version [SLN + 22a] and adopted XORing the key at the end of the initialization and at the beginning of the finalization.However, the subsequent ePrint version [SLN + 22b] saw the removal of XORing the key at the beginning of the finalization, raising security concerns.We call the version in [SLN + 22a] Rocca-v3, and the one in [SLN + 22b] Rocca-v4.See Table 1 for the versions of Rocca.This alteration made in Rocca-v4 maintains security against the trivial key-recovery attack.However, under the nonce-misuse setting, it allows a practical universal forgery attack.
It turns out that the choice of the finalization affects the overall security of Rocca.This paper delves into the security implications of various versions of Rocca, focusing on the risks associated with omitting XORing the key in the finalization phase, or more generally, we study how the choice of the finalization function affects the overall security of Rocca and clarify security trade-offs.consider the strong notion called FROB notion (full robustness notion) [FOR17].The notion is adapted to AEAD in [GLR17], and following [GLR17,MLGR23], the goal of the adversary is to output (K, N, A), (K ′ , N ′ , A ′ ), and (C, T ) such that Dec K (N, A, C, T ) ̸ = ⊥, Dec K ′ (N ′ , A ′ , C, T ) ̸ = ⊥, K ̸ = K ′ , and N = N ′ .CMT-4 and CMT-3 notions are equivalent, CMT-3 security implies CMT-1 security, and CMT-1 security implies FROB security [BH22].
The committing security is studied in [DFI + 24], covering AEGIS [WP13], Rocca-S [ABC + 23], Tiaoxin-346 [Nik14], and Rocca (Rocca-v1).The result on Rocca-v1 directly applies to Rocca-v4, and is the FROB attack with a complexity of 2 128 .This exceeds the generic complexity of 2 64 , which is the birthday bound of the tag length, concluding that Rocca-v1 has proven resistance to the attack presented in [DFI + 24], and posing its committing security as an open question.
We start by analysing CMT-3 security, focusing on the case K = K ′ , N = N ′ , and A ̸ = A ′ .By using the 7-round differential trail from zero to zero state difference shown in [HII + 22], we show a CMT-3 attack with a practical complexity.The attack works regardless the choice of the finalization.In particular, we present a concrete example of colliding inputs of Rocca-v3 [SLN + 22a], practically breaking its committing security.
We next consider a CMT-2 attack, which is not formally defined in [BH22], but is naturally defined as (K, N ) ̸ = (K ′ , N ′ ) as the distinctness condition.We consider this notion as the attack can be converted into CMT-1 and FROB attacks for schemes with non-keyed finalization, i.e., Rocca-v1 and Rocca-v4.Starting from two distinct states, we develop an algorithm to output distinct associate data such that after the absorption, the resulting states collide.The complexity of the algorithm is 2 16 .As a result, we have a CMT-2 attack against all the versions of Rocca, and we also have FROB and CMT-1 attacks against Rocca-v1 and Rocca-v4.We experimentally verify the correctness of the attack by presenting a concrete example of FROB attack against Rocca-v4.This result significantly improves the FROB attack of 2 128 complexity against Rocca-v1 in [DFI + 24] by a factor of 2 112 into a practical one, and negatively solves the open question in [DFI + 24].
See Tables 2 and 3 for the summary of our results.

Related Works
Rocca has already received various security analyses.Anand and Isobe evaluated the security against differential fault attacks in the nonce-misuse setting [AI21].This attack results in a complete internal state recovery by injecting 4 × 48 faults.Bonnetain and Schrottenloher analyzed quantum state-recovery attack in Q2 setting [BS23].See [AI23] for the implementation of the quantum circuit of Rocca.Shiraya et al. analyzed distinguishing attacks on the initialization phase and keystream [STSI23].Takeuchi et al. studied the optimality of the round function of Rocca [TSI23a].See [TSI23b] for the security evaluation

Preliminaries
In We call the version Rocca-v3.Later, the ePrint version was again updated, where absorbing the secret key at the beginning of the finalization was removed [SLN + 22b].We call the version Rocca-v4.Table 1 summarizes the comparison of several versions of Rocca.

Specification of Rocca-v1 [SLN + 21]
Notation.A block is defined as a 16-byte value.A block can be represented as a 4 × 4 byte state matrix, expressed as Each X i,j represents one byte of data.

Figure 1: The round function of Rocca
The function A(X) represents the AES round function without AddRoundKey, and is defined as where MixColumns, ShiftRows, and SubBytes are the operations as defined in the specification of the AES [AES01].These operations are written as MC, SR, and SB, respectively.For a byte X ∈ {0, 1} 8 , Sb(X) denotes the output of the AES S-box on X.
Additionally, |X| denotes the length of a bit string X in bits, 0 l is the zero string of length l bits, and X ∥ Y represents the concatenation of bit strings X and Y .Finally, R(S t , X 0 , X 1 ) denotes the round function used to update the state S t , where X 0 and X 1 are two input blocks.
The Round Update Function.The input of the round function R(S t , X 0 , X 1 ) of Rocca consists of the state S t and two blocks X 0 and X 1 .The output S t+1 ← R(S t , X 0 , X 1 ) is computed as follows: See Fig. 1 for the corresponding illustration.
The Mode of Operation.Rocca is composed of four phases: initialization, processing the associated data, encryption, and finalization.The encryption algorithm of Rocca takes the following inputs: a 256-bit key 2 , a 128-bit nonce N ∈ F 128 2 , associated data A, and a message M .The output consists of the corresponding ciphertext C and a 128-bit tag T ∈ F 128 2 .We write Enc K (N, A, M ) = (C, T ).The decryption of Rocca takes (K, N, A, C, T ) and returns M such that Enc K (N, A, M ) = (C, T ), or we may write this as Dec K (N, A, C, T ) = ⊤, indicating acceptance.
To process a string X of any bit length, we define X = X ∥ 0 l , where l represents the minimum non-negative integer required to make the length of X a multiple of 256.Additionally, if a string X has a length that is already a multiple of 256, we express it as , where each X i has a length of 128 bits.

Initialization.
A 128-bit nonce N and a 256-bit key K 0 ∥ K 1 are loaded into the state S in the following way: Note that Z 0 and Z 1 are defined in Eq.(1).Then, 20 iterations of the round function R(S, Z 0 , Z 1 ) is applied to the state S. We call the internal state after the initialization an initial state.
Processing Associated Data.Associated data A is padded to A and is parsed as Then the state is updated as follows: Note that this phase is skipped if A is empty.
Processing Message.On encryption, we process a message as follows: The message M is first padded to M and is parsed as M is absorbed with the round function, and the corresponding ciphertext C is generated.A detailed procedure is shown as follows: Processing Ciphertext.On decryption, the ciphertext C is first padded to C, and then parsed as Then, C is absorbed with the round function to generate the corresponding message M .The procedure is as follows: The encryption procedure of Rocca-v1 Finalization.After processing the message/ciphertext, the state S passes through 20 iterations of the round function R(S, |A|, |M |) and then the tag is computed in the following way: On decryption, the computed tag is compared with the tag given as input, and M is returned if they are equal.Figure 2 shows the encryption procedure of Rocca.

Specification of Other Versions
and in Rocca-v3 [SLN + 22a] and in Rocca-v4 [SLN + 22b], the keys are XORed as We write this process as Init(N, K 0 , K 1 ) = S.
Finalization.Starting from the state S, before 20 iterations of the round function, two 128-bit keys are XORed into the state S in the following way: Then, the round function is iterated 20 times to compute a tag T .We write this process as Fin * (S, K) = T .Note that Rocca-v4 does not have the key XORing at the beginning of the finalization.
Figure 3 shows the encryption procedure of Rocca-v2 and Rocca-v3.
The encryption procedure of Rocca-v2 and Rocca-v3.The attack exploits two plaintexts/ciphertexts using the same nonce, where the two texts have a specific difference.In the nonce-misuse setting, collecting such texts is easy by using the encryption oracle.On the other hand, in the nonce-respecting setting, it is prohibited to make two queries with the same nonce to the encryption oracle.Instead, Hosoyamada et al. exploited the decryption oracle.Since the tag size of Rocca is 128 bits and the security level is 256 bits, it is possible to collect such texts by using 2 128 decryption queries.

State-Recovery Attack Shown in [HII
We now have two texts with a common internal state.The goal is to recover the internal state.We absorb different messages whose relationship has a specific difference.The difference is diffused to the whole internal state via several rounds, but their diffused differences are known until several rounds.As a result, we have several active A functions whose input and output differences are known.Since the function A is the AES round function, we can reduce the candidate of input/output values of the active S-boxes into two or four when the input/output differences are known.By exploiting the relationship among five such active A functions and the meet-in-the-middle technique, Hosoyamada et al. showed the procedure to recover the whole internal state with a complexity of 2 20 .Refer to [HII + 22] for more details.

Key-Recovery Attacks against Rocca-v2 and Rocca-v3
In this section, we propose key-recovery attacks against Rocca-v2 [HII + 22] and Rocca-v3 [SLN + 22a].We cover both nonce-misuse and nonce-respecting settings.The attacker is given the encryption and/or decryption oracles, and the goal is to recover the 256-bit secret key K = K 0 ∥ K 1 .In [SLN + 22a] and [HII + 22], the position to XOR the key in the finalization phase differs.We show that both key positions allow key-recovery attacks.
We first consider Rocca-v3 ) denotes a tag T that is obtained by making an encryption query (N, A, M ) such that the internal state just before the finalization phase is S t .This corresponds to an online computation.Similarly, Fin Dec K (S t , T ) denotes ⊤ or ⊥ that is obtained by making a decryption query (N, A, C, T ) such that the internal state just before the finalization phase is S t .It returns ⊤ if the decryption is successful, or ⊥ if the Algorithm 1 Nonce-misuse key-recovery attack against Rocca-v3 Input: N ▷ choose arbitrary N Output: K 0 , K 1 1: S 0 ← StateRecovery(N ) ▷ run the state-recovery attack on N 2: for M 0 in range {0, 1} 128 do 3: end if 16: end for decryption fails or is invalid.This corresponds to an online computation.Fin * (S t , K 0 , K 1 ) denotes the offline computation of a tag T that uses K 0 , K 1 , and the internal state S t , which is the state just before the finalization phase.Finally, Init(N, K 0 , K 1 ) denotes offline computation of the internal state after the initialization phase from K 0 , K 1 , and N .

Key-Recovery Attack against Rocca-v3
In the finalization phase of Rocca-v3 [SLN + 22a], the key is XORed into the same positions as the input blocks of the previous round.Our attack makes use of this fact.

Case of Nonce-Misuse Setting
We first consider the nonce-misuse setting, and our key-recovery attack is presented in Algorithm 1.Following the notation in Sect.2.1, we first establish the relationship between the queries and offline computations.In this version, the key is XORed into S t [0] and S t [4] as S t [0] ⊕ K 0 and S t [4] ⊕ K 1 .Therefore, for any differential inputs X 0 , X 1 ∈ {0, 1} 128 to the state of the input of the finalization S t , the following relationship holds true: To see this, on both sides of Eq.(2), the state after XORing the key in the finalization phase becomes , resulting in matching output tags.Since the inputs are XORed at the same positions as the key, we use M 0 as X 0 and M 1 as X 1 .See Fig. 4 for a figure describing the case t = 1.Now, consider the case |M | = 2n (i.e., t = 1), and let M 1 be any fixed value.For simplicity, let M 1 = 0 128 .If K 0 ⊕ M 0 = 0 128 holds true (0 128 can be other constant, but we consider the case K 0 ⊕ M 0 = 0 128 for simplicity), then we have Observe that there exists M 0 that satisfies K 0 ⊕ M 0 = 0 128 , and we can recover K 1 through the exhaustive search over K 1 .Our attack searches for M 0 and K 1 separately.That is, we first run the state-recovery attack on N to obtain S 0 (line 1, Algorithm 1).Then, for each M 0 ∈ {0, 1} 128 , we make an encryption query such that the state before the finalization is (S ).This corresponds to making an encryption query (N, A, M 0 ∥ M 1 ) with |A| = 0 and M 1 = 0 128 .We then obtain T , and store (T, M 0 ) in TagList, sorted in T (line 2-5, Algorithm 1).Then, we compute Fin * (S 1 , 0 128 , k 1 ) in offline for each k 1 ∈ {0, 1} 128 for the exhaustive search on K 1 (line 8-16, Algorithm 1).If the same tag exists in TagList, we compute the initial state with (K 0 , K 1 ) = (M 0 , k 1 ), and if the state becomes S 0 obtained in the state-recovery attack in line 1, (M 0 , k 1 ) is returned as the secret key.The attack makes 2 128 encryption queries and makes 2 128 offline computation through Fin * with a search over TagList, which is assumed to be run in constant time, and the memory complexity of 2 128 , which is the size of TagList.Overall, the complexity of the attack is 2 128 .The attack succeeds with an overwhelming probability, since we exhaustively search over all M 0 and k 1 , ensuring that there always exists a combination such that M 0 = K 0 and k 1 = K 1 .We also see that the state after initialization is different in most cases for different keys, and hence the verification with Init ensures that the correct key is returned.

Case of Nonce-Respecting Setting
In the nonce-respecting setting, extra complexity is needed for decryption queries.Algorithm 2 is the key-recovery attack in the nonce-respecting setting.
In Eq.(3), we let Here, let m ′ 0 = 0 64 , M 1 = 0 128 , and if k 0 ⊕ m 0 = 0 64 holds true, then we have Our attack searches for m 0 and (k ′ 0 , K 1 ) separately.Following the procedure shown in Sect.3.1.1,we utilize 2 128 decryption queries instead of an encryption query.This is in line 5 of Algorithm 2, and the decryption query is (N, A, C, T ) with |A| = 0 and C being the ciphertext obtained from the state S 0 and m 0 ∥ 0 64 ∥ 0 128 as the message, which can be computed in offline.Then, there exists m 0 that satisfies k 0 ⊕ m 0 = 0 64 , and we can recover k ′ 0 and K 1 through exhaustive search.The attack makes 2 64+128 decryption queries and makes 2 192 offline computation through Fin * with a search over TagList, whose size is 2 64 .Overall, the complexity of the attack is 2 192 , and it succeeds with an overwhelming probability.end for 10: end for 11: S 1 ← R(S 0 , m 0 ∥ 0 64 , 0 128 ) for m 0 = 0 64 12: for k 1 in range {0, 1} 128 do 13: for k ′ 0 in range {0, 1} 64 do 14: if T in TagList then 16: end for 22: end for

Key-Recovery Attack against Rocca-v2
In the finalization phase of Rocca-v2 [HII + 22], the key is XORed as For any X 0 , X 1 ∈ {0, 1} 128 , we have Now, let X be a variable over some set X , and let f, g : X → {0, 1} 128 be functions.Assume that we can express X 0 and X 1 as X 0 = f (X) and X 1 = g(X).If K 0 ⊕ X 0 = 0 128 and k 1 = K 1 ⊕ g(X) hold true, then we have Assuming that computing f (X) for 2 128 different values of X covers most of the space of {0, 1} 128 , performing an exhaustive search for both X and k 1 guarantees the existence of X and k 1 such that K 0 ⊕ f (X) = 0 128 and k 1 = K 1 ⊕ g(X) with a high probability.By obtaining X and k 1 , we succeed in the key-recovery attack by using the same procedure as in Sect.3.1.
We consider the case |M | = 8n (i.e., t = 4).The approach of the attack is to develop a method to compute the inputs M = (M 0 , . . ., M 7 ) for 4 rounds, where f (M ) and g(M ) are XORed into S 4 [1] and S 4 [2], respectively, while keeping the values of other state blocks S 4 [0, 3..7] unchanged, in order to make Fin Enc K queries.The internal states of S 1 to S 4 for the last 3 rounds out of the 4 rounds are represented as follows: The input message blocks are highlighted in red.From the above equations, for any S 1 , we can find inputs M 2 , . . ., M 7 that fix the values of S 4 [0, 3..7] to any desired value in constant time.In more detail, we proceed as follows: Therefore, for any S 0 , when we modify the values of M 0 and M 1 , the values of the other 6 blocks except for S 4 [1] and S 4 [2] can be kept unchanged by choosing suitable M 2 , . . ., M 7 , and the values of S 4 [1] and S 4 [2] depend on M 0 and M 1 .The above steps give us a way to find inputs M 2 , . . ., M 7 that satisfy this condition.
From the above, we can express X 0 = f (M 0 , M 1 ) and X 1 = g(M 0 , M 1 ), and by performing a search over M 0 and M 1 with a complexity of 2 128 , we can perform an exhaustive search for f (M 0 , M 1 ).Assuming that f behaves as a random function, the probability that we have M satisfying K 0 ⊕f (M 0 , M 1 ) = 0 128 by 2 128 searches over M 0 and M 1 is estimated as (1 − e −1 ) from Poisson distribution.For this M , since we exhaustively search over k 1 , there exists k 1 that satisfies k 1 = K 1 ⊕ g(M 0 , M 1 ), allowing us to determine We consider the case S 4 = 0 1024 , and our key-recovery attack in the nonce-misuse setting is presented in Algorithm 3. We can perform a key-recovery attack with a complexity of 2 128 .Our key-recovery attack in the nonce-respecting setting is presented in Algorithm 4. The time complexity of the attack is 2 192 .
We remark that [DFI + 24] uses a similar approach to compute M 2 , . . ., M 7 in their committing attack, citing [TI23] as a reference.

Rocca with Stronger Finalization
The key-recovery attacks in the previous section exploit the key XORing of the finalization.To counter the attack, one option is to remove the key XORing, as in Rocca-v4 [SLN + 22b].However, it means a practical threat of universal forgery in the nonce-misuse setting.Therefore, a more robust countermeasure is to use a stronger finalization phase.In this section, we consider a new version of Rocca, where an arbitrary linear expansion of the key is XORed into the state before the last 20 iterations of the round function.Then, the above Algorithm 3 Nonce-misuse key-recovery attack against Rocca-v2 Input: N ▷ choose arbitrary N Output: K 0 , K 1 1: S 0 ← StateRecovery(N ) ▷ run the state-recovery attack on N 2: for M 0 in range {0, 1} 128 do 3: ) to TagList 13: end for 14: for k 1 in range {0, 1} 128 do 15: T ← Fin * (S 4 , K 0 , k 1 ) for S 4 = 0 1024 , K 0 = 0 128 ▷ offline computation 16: if T in TagList then 17: end if 22: end for attack, which adjusts each block step-by-step, is no longer available.It turns out that this still allows a key-recovery attack faster than the exhaustive key search.In order to show this, we first establish an algorithm to derive a message that interpolates two internal states.We then show the key-recovery attack using the state-interpolation algorithm.We also discuss possible countermeasures to strengthen the finalization phase further.Using the ideally secure keyed finalization is an option to avoid the key-recovery attack.Although it still allows non-trivial universal forgery attacks, the required complexity is not practical.
We start by proposing our state-interpolation algorithm in Sect.4.1, followed by a key-recovery attack against Rocca with an arbitrary linear key expansion and possible countermeasures in Sect.4.2.We finally present a universal forgery attack against Rocca with the ideal keyed finalization in Sect.4.3.

Deriving Messages to Interpolate Internal States
In this section, we propose an algorithm to derive a message M = (M 0 , . . ., M 7 ) of 8 blocks that interpolates two internal states (S 0 , S 4 ).That is, for any given S 0 and S 4 , the state-interpolation algorithm returns M = (M 0 , . . ., M 7 ) such that where the time complexity of the algorithm is 2 160 .Input Relationships. Figure 5 shows the internal state of Rocca for the state-interpolation algorithm.In the figure, the colors have the following semantics: • Red-colored blocks are given values.

27:
end for 28: end for • Blue-colored blocks are computed by determining M 0 .
• Green-colored blocks are computed by determining M 1 .
• Yellow-colored blocks are computed by determining M 0 and M 1 .
As shown in Fig. 5, considering M 0 and M 1 as variables, the internal states are calculated in the order of the arrows.If the internal states determined by M 0 and M 1 do not cause a contradiction, M 2 , . . ., M 7 that interpolate between S 0 and S 4 can be found.S 3 [1] and S 2 [0], the states enclosed by the red dashed line in Fig. 5, are the only states that can cause a contradiction if we follow the arrows of Fig. 5.These states can be represented in two ways using M 0 , M 1 .Since these values must match, we identify two equations, Eqs.( 5) and (6), as follows: State-Interpolation Algorithm.We show an algorithm that computes M 0 and M 1 such that both Eqs.( 5) and ( 6) are satisfied.Then, the remaining message blocks M 2 , . . ., M 7 can be efficiently computed.
given state 1.Fix M 0 arbitrarily.Then rewrite Eq.( 5) as an expression of M 1 with M 0 being fixed.
In detail, first, we expand Eq.( 5) with respect to M 1 as follows: Here, the blue-colored blocks in Fig. 5 are highlighted in blue in Eq.( 7).From red-colored blocks and blue-colored blocks, we define X and Y as follows: ) By using X and Y , Eq.( 7) can be expressed as follows: Here, M ′ 1 is defined as Now from the linearity of MixColumns and ShiftRows, by defining X ′ as X ′ = SR −1 • MC −1 (X), Eq.( 8) can be written as 2. Solve Eq.( 9) for M ′ 1 .We show the process in this step in Figs.6(a)-(d).
(a) We focus on the blue-colored bytes in Fig. 6(a).Then, Eq.( 9) is expressed as Here, we abuse the notation to apply MC and SB on a word of 32-bit state.Now, we first fix x 0,0 , x 1,1 , x 2,2 on the right hand side of Eq.(10).Then since x 0,0 is fixed, the corresponding first row value of the left hand side of Eq.( 10) is fixed, and from this, we obtain a unique value of x 3,3 that is consistent with the first row.Then, all the values in the left hand side have been fixed, and we have x 1,0 , x 2,0 , x 3,0 , which are the bytes marked with a red circle in Fig. 6(a), that satisfy the equality of Eq.( 10).(b) We focus on the blue-colored bytes in Fig. 6(b).Gray-colored bytes are fixed bytes in Step (a).We obtain the following equation: We obtain the system of equations in x 1,2 and x 2,3 by trying x 0,1 as indicated by the first and the second rows of Eq.( 11).For each of (x 0,1 , x 1,2 , x 2,3 ), the right hand side of Eq.( 11) is fixed, implying that the values of x 2,1 and x 3,1 are fixed as well.
(c) We focus on the blue-colored bytes in Fig. 6(c).We obtain We then have the system of equations in x 0,2 and x 1,3 that is obtained from the first, second, and the third rows of Eq.( 12).The right hand side of Eq.( 12) is fixed, implying that the value of x 3,2 is fixed as well.
3. Check whether Eq.( 6) holds with the obtained M 0 and M 1 .If it does, proceed to Step 5, otherwise proceed to Step 4.

Repeat Step 1 to
Step 3 by changing M 0 .
In Step 2, we try 4 bytes and thus the time complexity of this step is 2 32 .The probability that Eq.( 6) holds with M 0 and M 1 derived in Step 2 is expected to be 2 −128 .Therefore, the total time complexity of our interpolation algorithm is 2 128+32 = 2 160 .
We remark that it is straightforward to generalize the algorithm to interpolate two states S 0 and S t for any t ≥ 4. That is, we can run the above state-interpolation algorithm on (S t−4 , S t ), where S t−4 is the state after injecting any message on S 0 .

Key-Recovery Attack against Rocca with Arbitrary Linear Key Expansion
In this section, we show that Rocca with an arbitrary linear key expansion still allows a key-recovery attack in the nonce-respecting setting.This in particular shows that the choice of the key position to XOR at the beginning of the finalization phase is irrelevant to the security of Rocca.We consider the case that K 0 and K 1 are XORed into the state with an arbitrary linear key expansion.That is, the state S t is updated as S t ⊕ L(K 0 ∥ K 1 ), where L : {0, 1} 256 → {0, 1} 1024 is a linear and injective mapping.We show that this general case still allows key-recovery attacks.
We propose the attack in Algorithm 5. Let k 0 and k 1 be variables such that First, we run the state-recovery attack on N to obtain S 0 (line 1, Algorithm 5).We can create an arbitrary state with a complexity of 2 160 by using the interpolation algorithm in Sect.4.1 (line 3, Algorithm 5).Then, we make a decryption query (N, A, C, T ) (line 6, Algorithm 5), where |A| = 0 and C is the ciphertext of M = (M 0 , . . ., M 7 ) obtained in line 3.Note that the state before the finalization is S 4 = L(k 0 ∥ 0 208 ) for each k 0 .We obtain T , and store it in TagList.Then, we compute Fin * (L(0 256 ), 0 48 ∥ k ′ 0 , k 1 ) for each k ′ 0 and k 1 in offline (line 14, Algorithm 5).If the same tag exists in TagList, we compute the initialization phase with (K 0 , K 1 ) = (k 0 ∥ k ′ 0 , k 1 ), and when the state is the same as S 0 , (k 0 ∥ k ′ 0 , k 1 ) is returned as the key.
Since we search over k 0 and (k ′ 0 , k 1 ) separately, the key-recovery in the nonce-respecting setting works with a complexity of 2 208 .
In the nonce-misuse setting, 2 128 decryption queries can be replaced with one encryption query.However, the overall complexity remains 2 208 as the 2 160 complexity of the stateinterpolation algorithm in Sect.4.1 dominates the complexity.
Possible Countermeasures.Our analyses have shown that XORing with linearly expanded key in the finalization phase does not prevent key-recovery attacks.In response, we consider several approaches of countermeasures.
First, using a non-linear key expansion is one potential countermeasure.However, it is essential to carefully choose an appropriate non-linear function, as using an unsuitable one may fail to meet the required security standards.Second, we might use keyed permutation instead of the public permutation and key XORing.When the ideal keyed permutation is used, the key-recovery attack is impossible, even if the attacker can access the keyed permutation directly.

Universal Forgery against Rocca with Ideal Keyed Finalization
Universal forgery is a type of forgery attacks where an attacker is given a challenge (N * , A * , M * ) and outputs (C * , T * ) such that Enc K (N * , A * , M * ) = (C * , T * ).The attacker can use encryption and decryption oracles.However, the attacker cannot make an encryption query (N * , A * , M * ).

Generic Universal Forgery and Results from [HII + 22]
The generic complexity of the universal forgery against all the version of Rocca, or more generally, against any online AEAD scheme, is 2 |T | .In an online AEAD scheme, for a fixed key, nonce, and associated data, the first i bits of the ciphertext depends only on the first i bits of the message.The generic attack works as follows: Let M = M * ∥ M ′ for some |M ′ | ≥ 1.The attacker makes an encryption query (N * , A * , M ) to receive C and T , where C * is the first |M * | bits of C. The attacker makes 2 |T | decryption queries to obtain the correct tag T * for (N * , A * , C * ), and this works in the nonce-respecting or nonce-misuse setting.
For Rocca, after a state-recovery attack of [HII + 22], universal forgery can be executed with constant complexity against non-keyed finalization version of Rocca (Rocca-v1 and Rocca-v4).While the complexity of the state-recovery attack is 2 128 in the nonce-respecting setting, it is 2 20 in the nonce-misuse setting.Thus, the threat is practical in the noncemisuse setting, and it motivates us to use the keyed finalization.An ideally secure keyed finalization can be an option, however, it is still unclear whether using it is promising against universal forgery.We consider Rocca using the ideally secure keyed finalization and show universal forgery in the nonce-misuse setting with a practical data complexity.4, respectively.On the other hand, the offline time complexity is 2 160 for the stateinterpolation algorithm.

Committing Security
Committing security has recently been actively discussed as a new demanded security feature for AEAD schemes.There are several kinds of committing security notions, and we discuss CMT-3, CMT-2, CMT-1 [BH22], and FROB [FOR17] security in this paper.CMT-ℓ security requires the infeasibility of an attacker to determine (K, N, A, M ) and with the condition that the tuple of the first ℓ inputs of the AEAD differs.In other words, it commits to the first ℓ inputs.FROB security is a stronger security notion than CMT-1, which requires N = N ′ in addition to the condition for CMT-1.
We present two types of CMT attacks.The first attack breaks the CMT-3 security, where identical key and nonce are used.Therefore, it has the identical output of the initialization.We then show a pair of (distinct) associated data such that the internal state collides after several rounds.The second attack breaks the CMT-2 security, where the output of the initialization takes a different state because it uses a different key and nonce.We then show a pair of associated data such that the internal state collides after several rounds.This attack is trivially converted to the CMT-1/FROB attack when the finalization does not involve the secret key like Rocca-v1 or Rocca-v4.Figure 7 shows the high-level overview of these attacks.

CMT-3 Attack
Given the identical initial state after the initialization, the CMT-3 attack aims to find A and A ′ (̸ = A) such that the internal state collides after absorbing each associated data.Inheriting the 7-round differential trail from zero to zero difference shown in [HII + 22] for the existential forgery attack, we show a CMT-3 attack with a practical complexity.Figure 8 shows the differential trail.The trail contains 25 active S-boxes.While the differential characteristic probability is 2 −150 , an attacker knows the secret key and can compute the internal state in our attack scenario.Therefore, we do not need to rely on the probabilistic event to satisfy differential transition for 25 active S-boxes.We can choose A and A ′ step-by-step so that 25 active S-boxes satisfy the required differential transition.
For every active S-box out of 25 active S-boxes, only two pairs of values satisfy differential transition, and each value is (almost) fixed before every active S-box.For example, the active S-box in the 2nd round uses the differential transition, 0xF5 → 0x85, and only the following two pairs satisfy the transition.
We can control the value of S r [0] by choosing A 2r−2 .Similarly, we can control the value of S r [4] by choosing A 2r−1 .Therefore, 15 out of 25 active S-boxes (colored in yellow in Fig. 8) are controllable by choosing A 0 , A 6 , A 8 , A 10 , A 5 , A 7 , A 9 .We still have ten active S-boxes, and these inputs are S r [2].We control S 3 [2] and S 4 [2] by choosing A 1 and A 3 , respectively.We also control S 5 [2] by choosing A 4 .Note that A 1 , A 3 , and A 4 are not used to control S r [0] and S r [4] in above.To control S 6 [2], we choose A 5 .Although it is already used to control S 3 [4], only one active S-box needs to be controlled there, i.e., we only choose A 5,0,0 to control S 3 [4].On the other hand, to control the diagonal of S 6 [2], A 5 except for A 5,0,0 is enough.
We can find A and A ′ satisfying this differential trail with a complexity of O(1).Specifically, we first determine A 0 , A 1 , A 2 , and A 3 such that their related active S-boxes satisfy the differential transition.Then, we can determine S 1 , S 2 , and S 3 except for S 3 [0] and S 3 [4].We can also determine A 6 and A 7 such that their related active S-boxes satisfy the differential transitions.Then, we can determine S 4 [0] and S 4 [4].To find A 4 and A 5 , we need to decompose each related block into bytes.Algorithm 8 shows the procedure, where C i and D i denote the ith column and ith diagonal of the input matrix, respectively.It is not difficult to find A 8 , A 9 , A 10 , A 11 , A 12 , and A 13 .We focus on related active S-box and choose each value such that related active S-boxes satisfy the differential transitions.
The attack complexity for the CMT-3 attack is O(1).We implemented the attack algorithm and the test case is shown in Appendix A.

CMT-2, CMT-1, and FROB Attacks
When either or both the key and nonce differ, the initialization outputs different initial states.It is unlikely that each initial state is controllable even if the key is known, considering the initialization has 20 rounds.Therefore, we show an algorithm to find A and A ′ , where the internal state collides after absorbing each associated data from two randomly chosen initial states.Once the internal state collides before processing the message, it is trivial to demonstrate the CMT-2 attack.Note that when the finalization is independent of the key like Rocca-v1 or Rocca-v4, it can be the CMT-1 and FROB attacks.
Our attack is presented in Algorithm 9. We prepare two associated data such that 6 out of 8 blocks collide after absorbing each associated data.Specifically, S[0, 1, 4..7] collide.We have several methods to find such associated data.As shown in Sect.3.2, it is possible to fix the value of S 4 [0, 3..7].When the same associated data is absorbed in an additional one round, S 5 [0, 1, 4..7] collide.It is also possible to directly fix S 4 [0, 1, 4..7].Hereinafter, we show our analysis using the state, where S 4 [0, 1, 4..7] collide.
Figure 9 shows the overview of the CMT-2, CMT-1, and FROB attacks.Now, S 4 [2] and S 4 [3] have differences, and the other 6 blocks do not have differences.After one round, The condition to succeed in the CMT-2 attack is From the equations above, we have We cannot choose S 5 [6] and Rocca-v1 and Rocca-v4 allow a practical attack in FROB notion, one of the strongest notions of committing attacks.Our result significantly improves the result in [DFI + 24] on Rocca-v1.These schemes cannot be used in applications where committing security is expected.XORing the key at the beginning of finalization in Rocca-v2 and Rocca-v3 is supposed to add resistance against universal forgery, while this is the crucial reason why these schemes allow key recovery that is faster than the exhaustive key search.With respect to universal forgery in the nonce-misuse setting, Rocca-v1 is worse than GCM in that it allows key recovery, and Rocca-v4 inherits the weakness of GCM allowing practical universal forgery.For Rocca-v2 and Rocca-v3, they admit universal forgery with a practical data complexity, while this not a concern for the high time complexity.
In the security notions in the secret key setting, i.e., key recovery and universal forgery, whether a nonce is reused or respected, Rocca-v2 and Rocca-v3 do not reach the level of their expected security, while none of the attacks we presented is a practical concern.The design of Rocca-v4 can be interpreted to introduce a risk of practical universal forgery in the nonce-misuse setting to avoid the impractical attacks on Rocca-v2 and Rocca-v3.
Rocca-S [ABC + 23] is another revised version of Rocca to address the attacks presented in [HII + 22].The design follows Rocca-v4 in that XORing the key in the finalization is omitted, and it would be interesting to study its security in light of our results of this paper.
We define K, K ′ , N , and N ′ as follows (written in hex in an array):

B Test Case for the FROB Attack
We present a test case for the FROB attack.We consider Rocca-v4 in [SLN + 22b].We present an example of (K, N, A, M ), (K ′ , N ′ , A ′ , M ′ ), and (C, T ) such that (C, T ) = Enc K (N, A, M ) = Enc K ′ (N ′ , A ′ , M ′ ), with the constraint that K ̸ = K ′ , N = N ′ .
We define K, K ′ , N , and N ′ as follows (written in hex in an array): this section, we introduce the notation and present the specification of various versions of Rocca.The original version was proposed at ToSC 2021(2)/FSE 2022 [SLN + 21], and we call it Rocca-v1 to make it distinct from other versions.At ToSC 2022(3)/FSE 2023 [HII + 22], Hosoyamada et al. presented attacks on Rocca-v1 and broke the security claim.In the same paper, Hosoyamada et al. suggested tweaking the specification to XORing the secret key at the end of the initialization and at the beginning of the finalization.We call the version Rocca-v2.A similar tweak was adopted in the revised ePrint version of Rocca [SLN + 22a].

Figure 4 :
Figure 4: Illustration of the encryption process of Rocca-v3 for the case t = 1

Figure 7 :
Figure 7: Two CMT attacks against several versions of Rocca.The left figure shows the CMT-3 attack.The right figure shows the CMT-2 attack, which can be converted into CMT-1 or FROB when the finalization does not involve the key.

S 5
[3], S 5 [4], and S 5 [5] have differences.It is easy to cancel out the difference in S 6 [4] by using A 11 such that ∆A 11 = ∆S 5 [3].We aim to cancel out the difference in S 6 [5] and S 6 [6] at the same time by choosing A 9 .

Table 1 :
Comparison with several versions of Rocca Hosoyamada et al. showed vulnerabilities in Rocca [HII + 22]

Table 2 :
Complexity of key recovery and committing attacks against different versions of Rocca.The key length is 256 bits for all the versions.O(1) denotes computation of a few encryption.
Organization of This Paper.In Sect.2, we review the specification of Rocca.An overview of the state-recovery in [HII + 22] is given in Sect.2.3.In Sect.3, we present key-recovery attacks against Rocca-v2 and Rocca-v3.In Sect.4, we present the state-interpolation algorithm and use the algorithm for key recovery against Rocca + any linear key mixing and for nonce-misuse universal forgery against Rocca + ideal keyed finalization.We cover committing attacks in Sect.5, and conclude the paper in Sect.6. Appendices A and B show test cases of our committing attacks.