Security Evaluation of Initialization Phases and Round Functions of Rocca and AEGIS

摘要

Authenticated-Encryption with Associated-Data (AEAD)plays an important role in guaranteeing confidentiality, integrity, and authenticityin network communications. To meet the requirements of highperformanceapplications, several AEADs make use of AESNewInstructions(AES-NI), which can conduct operations of AES encryption and decryptiondramatically fast by hardware accelerations. At SAC 2013, Wu and Preneelproposed an AES-based AEAD scheme called AEGIS-128/128L/256, toachieve high-speed software implementation. At FSE 2016, Jean and Nikolicgeneralized the construction of AEGIS and proposed more efficient roundfunctions. At ToSC 2021, Sakamoto et al. further improved the constructionsof Jean and Nikolic, and proposed an AEAD scheme called Rocca for beyond5G. In this study, we first evaluate the security of the initialization phases ofRocca and AEGIS family against differential and integral attacks using MILP(Mixed Integer Linear Programming) tools. Specifically, according to theevaluation based on the lower bounds for the number of active S-boxes, theinitialization phases of AEGIS-128/128L/256 are secure against differentialattacks after 4/3/6 rounds, respectively. Regarding integral attacks, wepresent the integral distinguisher on 6 rounds and 6/5/7 rounds in the initializationphases of Rocca and AEGIS-128/128L/256, respectively. Besides,we evaluate the round function of Rocca and those of Jean and Nikolic ascryptographic permutations against differential, impossible differential, andintegral attacks. Our results indicate that, for differential attacks, the growthrate of increasing the number of active S-boxes in Rocca is faster than thoseof Jean and Nikolic. For impossible differential and integral attacks, weshow that the round function of Rocca achieves the sufficient level of thesecurity against these attacks in smaller number of rounds than those of Jeanand Nikolic.