Key Recovery, Universal Forgery, and Committing Attacks against Revised Rocca: How Finalization Affects Security
DOI:
https://doi.org/10.46586/tosc.v2024.i2.85-117Keywords:
Rocca, key recovery, universal forgery, committing attacksAbstract
This paper examines the security of Rocca, an authenticated encryption algorithm designed for Beyond 5G/6G contexts. Rocca has been revised multiple times in the initialization and finalization for security reasons. In this paper, we study how the choice of the finalization affects the overall security of Rocca, covering key recovery, universal forgery, and committing attacks. We show a key-recovery attack faster than the exhaustive key search if a linear key mixing is used in the finalization. We also consider the ideally secure keyed finalization, which prevents key-recovery attacks. We show that, in the nonce-misuse setting, this does not prevent universal forgery with a practical data complexity, although the time complexity is high. Our result on committing attacks shows that none of the versions of Rocca considered in this paper is secure. We complete our analysis by presenting a concrete example of colliding inputs against the designers’ latest version of Rocca in the FROB setting, a strong notion of the committing security. Our analysis significantly improves the key committing attack against Rocca shown in ToSC 2024(1)/FSE 2024.
Downloads
Published
Issue
Section
License
Copyright (c) 2024 Ryunouchi Takeuchi, Yosuke Todo, Tetsu Iwata
This work is licensed under a Creative Commons Attribution 4.0 International License.