Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality
- PDF / 1,536,459 Bytes
- 43 Pages / 439.37 x 666.142 pts Page_size
- 8 Downloads / 199 Views
Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality∗ Akiko Inoue NEC Corporation, Kawasaki, Japan [email protected]
Tetsu Iwata Nagoya University, Nagoya, Japan [email protected]
Kazuhiko Minematsu NEC Corporation, Kawasaki, Japan [email protected]
Bertram Poettering IBM Research – Zurich, Rüschlikon, Switzerland [email protected] Communicated by Serge Vaudenay Received 24 December 2019 / Revised 25 May 2020
Abstract. We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009. An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in XEX∗ mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2’s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. As a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary. Keywords. OCB2, Authenticated encryption, Cryptanalysis, Forgery, Plaintext recovery, XEX.
∗ A preliminary version of this article was presented at CRYPTO 2019 [15] (https://doi.org/10.1007/9783-030-26948-7_1). The full version is available at [16] (https://eprint.iacr.org/2019/311).
© International Association for Cryptologic Research 2020
A. Inoue et al.
1. Introduction Authenticated encryption (AE) is a form of symmetric-key encryption that simultaneously protects the confidentiality and authenticity of messages. The primitive is widely accepted as a fundamental tool in practical cryptography, finding application in many settings, including in SSH and TLS. Constructions of the AE primitive include the OCB family of blockcipher modes of operation. Its three members (OCB1, OCB2, and OCB3) are celebrated for their beautiful and innovative architecture and their almost unrivaled efficiency. In fact, the modes are fully parallelizable and thus effectively as efficient as the fastest known confidentialityonly modes. The first version (OCB1) was proposed at ACM CCS 2001 by Rogaway et al. [39], the second version (OCB2) at ASIACRYPT 2004 by Rogaway [35] (hereafter Rog04), and the third version (OCB3) at FSE 2011 by Krovetz and Rogaway [24]. While all three designs share roughly the same construction principles, differences to note include both the external interface (while OCB1 is a pure AE mode, its successors OCB2 and OCB3 are AEAD modes where encryption and decryption is performed with respect to an auxiliary associated
Data Loading...
