Although Rocca is an authenticated encryption mode producing and consuming a tag, it's possible that the user may deliberately not want to validate with a tag in some cases (they may not have it, or they may be achieving integrity checking in another way). I may point to a kind of "daisy chained" series of AEAD operations, or a length-preserving all-or-nothing-transform as examples.

And so this is a suggestion to consider a variant in this (and related/Morus) code to not validate against a tag when the user deliberately wants to do that.

A related idea is to have the decrypt produce the tag that the in-place encryption would have produced, and to return it instead of consuming it.

I can have some self-contained test cases on this in the coming days to showcase this, although speaking at a high level, I noticed that with this (Rocca) code (but not the similarly designed Morus one), small-sized (< 16 byte) inputs and/or inputs not a multiple of the blocksize, the decryption of an encrypted plaintext didn't return the original. For larger inputs or full integer multiple sizes I believe it was all working correctly. I thought this would be easy to reproduce with some test inputs at those sizes, but if not, please let me know. Note that the very similarly styled implementation for Morus didn't have an issue. Because these have similar design, looking at differences between them may help uncover what's going on. I'm using the encrypt/decrypt in-place mode.

You may have seen this, but there's now an Internet Draft for Rocca-S, which has a 256-bit tag.