Nan Liu, Chenhui Jin, Junwei Yu, Jie Guan, Ting Cui
{"title":"A novel distinguishing attack on Rocca","authors":"Nan Liu, Chenhui Jin, Junwei Yu, Jie Guan, Ting Cui","doi":"10.1049/cmu2.70008","DOIUrl":null,"url":null,"abstract":"<p>The security of an encryption algorithm often hinges on the indistinguishability between ciphertext and random numbers. In block ciphers, pseudorandomness and super-pseudorandomness are commonly used to depict the indistinguishability between ciphertext and random numbers. Whereas, stream cipher algorithms can be viewed as functions of variables such as the key K, initialization vector IV, and plaintext M. For an ideal stream cipher algorithm, the ciphertext sequences for any two different plaintexts should exhibit good independence across various K-IV pairs. Consequently, the probability of the two ciphertext sequences being equal or having sufficiently long matching segments should be negligible. This study examines a new type of attack that stems from key commitment attacks. By exploiting the independence between the ciphertext sequences, a novel distinguishing attack against the stream cipher is constructed and applied to the encryption of Rocca. Focusing on the authenticated encryption algorithm Rocca, a guess-and-determine method is employed to demonstrate that for any plaintext and two different sets of <span></span><math>\n <semantics>\n <mrow>\n <mo>(</mo>\n <mrow>\n <mi>k</mi>\n <mi>e</mi>\n <mi>y</mi>\n <mo>,</mo>\n <mi>N</mi>\n <mi>o</mi>\n <mi>n</mi>\n <mi>c</mi>\n <mi>e</mi>\n <mo>,</mo>\n <mi>A</mi>\n <mi>D</mi>\n </mrow>\n <mo>)</mo>\n </mrow>\n <annotation>$( {key,Nonce,AD} )$</annotation>\n </semantics></math>, another plaintext can be found with a time complexity <span></span><math>\n <semantics>\n <mrow>\n <mi>O</mi>\n <mo>(</mo>\n <msup>\n <mn>2</mn>\n <mn>160</mn>\n </msup>\n <mo>)</mo>\n </mrow>\n <annotation>$O( {{{2}^{160}}} )$</annotation>\n </semantics></math>, resulting in identical ciphertext sequences except for the initial <span></span><math>\n <semantics>\n <mrow>\n <mn>4</mn>\n <mo>×</mo>\n <mn>256</mn>\n </mrow>\n <annotation>$4 \\times 256$</annotation>\n </semantics></math> bits. Furthermore, it is proved that under chosen plaintext conditions, the time complexity of this distinguishing attack is <span></span><math>\n <semantics>\n <mrow>\n <mi>O</mi>\n <mo>(</mo>\n <msup>\n <mn>2</mn>\n <mn>96</mn>\n </msup>\n <mo>)</mo>\n </mrow>\n <annotation>$O( {{{2}^{96}}} )$</annotation>\n </semantics></math>. These findings imply that Rocca does not offer 256-bit security against such distinguishing attacks, providing valuable insights into the design of round update functions for stream ciphers like Rocca.</p>","PeriodicalId":55001,"journal":{"name":"IET Communications","volume":"19 1","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2025-02-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/cmu2.70008","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Communications","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/cmu2.70008","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}
引用次数: 0
Abstract
The security of an encryption algorithm often hinges on the indistinguishability between ciphertext and random numbers. In block ciphers, pseudorandomness and super-pseudorandomness are commonly used to depict the indistinguishability between ciphertext and random numbers. Whereas, stream cipher algorithms can be viewed as functions of variables such as the key K, initialization vector IV, and plaintext M. For an ideal stream cipher algorithm, the ciphertext sequences for any two different plaintexts should exhibit good independence across various K-IV pairs. Consequently, the probability of the two ciphertext sequences being equal or having sufficiently long matching segments should be negligible. This study examines a new type of attack that stems from key commitment attacks. By exploiting the independence between the ciphertext sequences, a novel distinguishing attack against the stream cipher is constructed and applied to the encryption of Rocca. Focusing on the authenticated encryption algorithm Rocca, a guess-and-determine method is employed to demonstrate that for any plaintext and two different sets of , another plaintext can be found with a time complexity , resulting in identical ciphertext sequences except for the initial bits. Furthermore, it is proved that under chosen plaintext conditions, the time complexity of this distinguishing attack is . These findings imply that Rocca does not offer 256-bit security against such distinguishing attacks, providing valuable insights into the design of round update functions for stream ciphers like Rocca.
期刊介绍:
IET Communications covers the fundamental and generic research for a better understanding of communication technologies to harness the signals for better performing communication systems using various wired and/or wireless media. This Journal is particularly interested in research papers reporting novel solutions to the dominating problems of noise, interference, timing and errors for reduction systems deficiencies such as wasting scarce resources such as spectra, energy and bandwidth.
Topics include, but are not limited to:
Coding and Communication Theory;
Modulation and Signal Design;
Wired, Wireless and Optical Communication;
Communication System
Special Issues. Current Call for Papers:
Cognitive and AI-enabled Wireless and Mobile - https://digital-library.theiet.org/files/IET_COM_CFP_CAWM.pdf
UAV-Enabled Mobile Edge Computing - https://digital-library.theiet.org/files/IET_COM_CFP_UAV.pdf
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
