Meet-in-the-Middle Key Recovery Attacks on Rocca Using Differential and Integral Properties

Rocca is an AES-based authentication encryption scheme proposed in 2021 for beyond 5G/6G systems. The latest version of Rocca injects the key into the initialization, which makes the key recovery attack on its original version no longer valid here. In this paper, we propose new key recovery attacks based on the idea of meet-in-the-middle. Benefiting from the design of the round function, we can treat each 128-bit block as a unit and then write the expressions of the internal states in terms of the initial state and the final state, respectively. Among them, we focus on the state blocks with relatively concise expressions, which have poor diffusion, and then explore their differential and integral properties. Next, in the key recovery attacks, we first guess a part of the key to calculate the specific values of state blocks at the middle matching positions, and then use the differential or integral properties on these blocks to validate the key guesses. Uniquely, in our integral cryptanalysis, we impose appropriate conditions to constrain the propagation of nonce, which corresponds to the weak keys. Consequently, we present the 9 and 10 rounds of meet-in-the-middle key recovery attacks on Rocca, as well as the weak key recovery attack for the 11-round Rocca based on integral properties, with four sets of weak keys with 2²²⁴ keys each.