Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

Gjiriti, Emiljano; Reyhanitabar, Reza; Vizár, Damian

doi:10.46586/tosc.v2021.i2.446-468

Cited by 2 publications

(1 citation statement)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The efficiency is limited, while this result does show that achieving Claim 1 in a provable security paradigm is feasible. We remark that works on AEAD schemes with variable stretches [RVV16,GRV21] consider a problem of varying the tag length during the lifetime of the key, which is a different problem from the focus of this paper.…”

Section: Introductionmentioning

confidence: 98%

Cryptanalysis of Rocca and Feasibility of Its Security Claim

Hosoyamada¹,

Inoue

Ito

et al. 2022

ToSC

View full text Add to dashboard Cite

Rocca is an authenticated encryption with associated data scheme for beyond 5G/6G systems. It was proposed at FSE 2022/ToSC 2021(2), and the designers make a security claim of achieving 256-bit security against key-recovery and distinguishing attacks, and 128-bit security against forgery attacks (the security claim regarding distinguishing attacks was subsequently weakened in the full version in ePrint 2022/116). A notable aspect of the claim is the gap between the privacy and authenticity security. In particular, the security claim regarding key-recovery attacks allows an attacker to obtain multiple forgeries through the decryption oracle. In this paper, we first present a full key-recovery attack on Rocca. The data complexity of our attack is 2128 and the time complexity is about 2128, where the attack makes use of the encryption and decryption oracles, and the success probability is almost 1. The attack recovers the entire 256-bit key in a single-key and nonce-respecting setting, breaking the 256-bit security claim against key-recovery attacks. We then extend the attack to various security models and discuss several countermeasures to see the feasibility of the security claim. Finally, we consider a theoretical question of whether achieving the security claim of Rocca is possible in the provable security paradigm. We present both negative and positive results to the question.

show abstract

Section: Introductionmentioning

confidence: 98%