Security Evaluation of Initialization Phases and Round Functions of Rocca and AEGIS

TAKEUCHI, Nobuyuki; Sakamoto, Kosei; Isobe, Takanori

doi:10.1587/transfun.2022cip0013

Cited by 2 publications

(5 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…According to Section 3.2, Tiaoxin‐346 has a nonce input to T 6 [1], and T 6 [11] and T 6 [1] are only called at least 4 AES round functions in 15 rounds. Because the longest integral distinguisher of AES has been discovered up to 4 rounds [10], we consider that the distinguisher was discovered in 15 rounds that are full rounds.…”

Section: Discussionmentioning

confidence: 99%

“…Regarding integral attacks, we present integral distinguishers on 6/6/7, 15, and 7 rounds of AEGIS-128/ 128L/256, Tiaoxin-346, and Rocca, respectively. Exploiting the full degree of freedom of nonce, these can improve 1 round of integral distinguishers on AEGIS-128L and Rocca from the results of Takeuchi et al [11], and the first result on integral properties of Tiaoxin-346 (Table 2). The encryption phase.…”

Section: Our Contributionmentioning

confidence: 95%

“…Exploiting the full degree of freedom of nonce, these can improve 1 round of integral distinguishers on AEGIS‐128L and Rocca from the results of Takeuchi et al. [11], and the first result on integral properties of Tiaoxin‐346 (Table 2). The encryption phase.…”

Section: Introductionmentioning

confidence: 97%

“…Recently, Takeuchi et al. evaluated the security against differential attacks [9] and integral attacks [10] for the initialisation phase of AEGIS and Rocca [11]. In designer's evaluations of Tiaoxin‐346, they evaluate differential attacks by active‐sbox evaluation; however, they did not give the detailed lower bounds for the number of active S‐boxes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

MILP‐based security evaluation for AEGIS/Tiaoxin‐346/Rocca

Shiraya

TAKEUCHI

Sakamoto

et al. 2023

IET Information Security

Self Cite

View full text Add to dashboard Cite

In this paper, the security of Advanced Encryption Standard-based authenticated encryption schemes, including AEGIS family, Tiaoxin-346, and Rocca by mixed integer linear programming tools is examined. Specifically, for the initialisation phase of AEGIS, Tiaoxin-346, and Rocca, the security against differential attacks and integral attacks is evaluated by estimating the lower bounds for the number of active S-boxes and utilising division property, respectively. In addition to the estimations of initialisation phases, the security of the encryption phases of AEGIS, Tiaoxin-346, and Rocca against distinguishing attacks on keystream is evaluated by exploiting integral properties. As a result, the authors show that the initialisation phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca are secure against differential attacks after 4/3/6, 5, and 6 rounds, respectively. Regarding integral attacks, the distinguisher is found on 6/6/7, 15, and 7 rounds in the initialisation phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca, respectively. Additionally, the integral distinguisher is presented on 2/2/4, 4, and 4 rounds in the encryption phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca, respectively. As far as it is known, this study's results are the first distinguishing attacks on the keystream on AEGIS, Tiaoxin-346, and Rocca without relying on weak keys. K E Y W O R D S cryptography, security 1 | INTRODUCTION 1.1 | Background At Selected Areas in Cryptography (SAC) 2013, Wu and Preneel proposed an Advanced Encryption Standard (AES)-based Authenticated-Encryption with an Associated-Data (AEAD) scheme called AEGIS-128/128L/256 to achieve high-speed on software [1]. To perform high-speed encryption, the AEGIS family utilises the AES New Instructions (AES-NI) [2, 3], which is a special instruction set of single instruction multiple data. The AEGIS family was submitted to CAESAR competition [4], and AEGIS-128 was selected as the final portfolio for high-performance applications. Nikolić proposed an efficient AEAD scheme called Tiaoxin-346 using AES-NI in 2014 [5], which was chosen as the third-round candidates in the CAESAR competition. At Fast Software Encryption (FSE) 2016, Jean and Nikolić generalised the round function of AEGIS and Tiaoxin-346, and proposed more efficient round functions than them [6]. At FSE 2022, Sakamoto et al. further optimised the round function of Jean and Nikolić, and proposed an AEAD scheme called Rocca [7,8] for Beyond 5G systems. These consist of an initialisation phase and encryption phase. In the initialisation phases, key and nonce are loaded into the state, and the initial state is generated. In the encryption phases, based on the initial state, keystream is generated with updating state values, and then a ciphertext is obtained by Xoring a plaintext and a key stream. | Existing workRecently, Takeuchi et al. evaluated the security against differential attacks [9] and integral attacks [10] for the initialisation phase of AEGIS and Rocca [11]. In designer's evaluations of Tiaoxin-346, t...

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Our Contributionmentioning

confidence: 95%

Section: Introductionmentioning

confidence: 97%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MILP‐based security evaluation for AEGIS/Tiaoxin‐346/Rocca

Shiraya

TAKEUCHI

Sakamoto

et al. 2023

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Takeuchi et al studied the optimality of the round function of Rocca [TSI23a]. See [TSI23b] for the security evaluation…”

Section: Related Workmentioning

confidence: 99%

Key Recovery, Universal Forgery, and Committing Attacks against Revised Rocca: How Finalization Affects Security

Takeuchi,

Todo,

Iwata

2024

ToSC

View full text Add to dashboard Cite

This paper examines the security of Rocca, an authenticated encryption algorithm designed for Beyond 5G/6G contexts. Rocca has been revised multiple times in the initialization and finalization for security reasons. In this paper, we study how the choice of the finalization affects the overall security of Rocca, covering key recovery, universal forgery, and committing attacks. We show a key-recovery attack faster than the exhaustive key search if a linear key mixing is used in the finalization. We also consider the ideally secure keyed finalization, which prevents key-recovery attacks. We show that, in the nonce-misuse setting, this does not prevent universal forgery with a practical data complexity, although the time complexity is high. Our result on committing attacks shows that none of the versions of Rocca considered in this paper is secure. We complete our analysis by presenting a concrete example of colliding inputs against the designers’ latest version of Rocca in the FROB setting, a strong notion of the committing security. Our analysis significantly improves the key committing attack against Rocca shown in ToSC 2024(1)/FSE 2024.

show abstract

Security Evaluation of Initialization Phases and Round Functions of Rocca and AEGIS

Cited by 2 publications

References 19 publications

MILP‐based security evaluation for AEGIS/Tiaoxin‐346/Rocca

MILP‐based security evaluation for AEGIS/Tiaoxin‐346/Rocca

Key Recovery, Universal Forgery, and Committing Attacks against Revised Rocca: How Finalization Affects Security

Contact Info

Product

Resources

About