Top

Journal of Cryptology

Published in:

29-06-2020

Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

Authors: Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, Bertram Poettering

Published in: Journal of Cryptology | Issue 4/2020

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009. An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in \({\text {XEX}}^*\) mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2’s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. As a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary.

previous article Foundations of Fully Dynamic Group Signatures

next article A Formal Security Analysis of the Signal Messaging Protocol

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

https://competitions.cr.yp.to/caesar.html.

By Krovetz, http://web.cs.ucdavis.edu/~rogaway/ocb/code-2.0.htm.

ISO document Draft Amendment ISO/IEC 19772:2009/DAM 1:2019 lists OCB2 as a deprecated scheme. The document is currently available at https://www.iso.org/standard/77459.html.

http://bitwiseshiftleft.github.io/sjcl/.

https://joplinapp.org/.

https://github.com/laurent22/joplin/issues/943.

We do not employ a dedicated symbol for the ciphertext space but instead use the symbol \(\mathcal{M}\) for both messages and ciphertexts.

We clarify that the PRIV-CCA notion does not imply the AUTH notion, and in particular not AE. To see this, modify any PRIV-CCA secure scheme by augmenting the ciphertext space by one additional ciphertext that always decrypts to some fixed message, independently of the used key, nonce, and associated data. This modified scheme provides PRIV-CCA but not AUTH.

In that paper the mode was actually referred to as OCB1; what we call OCB1 was referred to as OCB in [35].

The PMAC version from [36] is slightly different from the initial version [9] in that it uses doublings for mask generation and is adapted to be computationally independent from the encryption part when combined with OCB2.

The attack does not require knowledge of the contents of blocks \(M[1],\ldots ,M[m-2]\), but does depend on their sum \(M[1]\oplus \cdots \oplus M[m-2]\).

See Fig. 1 for an example: Our notation \(\mathcal {E}_E(N,A,M)\) suggests that the mode’s key is the access to E and its inverse; the key K does not appear at this level of abstraction.

The number of pairs can be fewer than \(m+1\) if collisions occur. This happens, however, only with negligible probability.

The technique of first learning value L in order to then attack the security of OCB was already explored in prior work. While Ferguson [12] recovered L from collisions arising during the encryption of very long messages, Vaudenay and Vizár [43] achieved L-recovery in a setting that is not nonce-respecting. Notably, [43] observed that learning L suffices to recover arbitrary blockcipher mappings.

An equivalent mode for OCB3 is called \(\mathrm {\Theta }\text {CB}3\) [24].

We note that the constant 9.5 in \( \mathbf{Adv} ^{ \textsf {tsprp}}_{{\text {XEX}}^*_{\mathsf P}}({\mathcal {B}}_\pm )\) in (7) was improved to 4.5 in [30].

Recent work on AEAD combiners [33] suggests operating multiple AEAD schemes and combining their results, with the effect that the result is secure if at least one of the ingredient schemes is. This approach might be interesting if the unproven methods proposed here are used.

We caution that this change might not be sufficient. Our results from Sect. 4.4 indicate that more plaintexts and ciphertexts have to be rejected: on the encryptor’s side all messages with \(M[m-1]=\texttt {len}(0^{n-s})\) for some \(s=1,\ldots ,n\), and on the decryptor’s side all ciphertexts that would result in \(M^*[m-1]=\texttt {len}(0^{n-s})\) for some \(s=1,\ldots ,n\). We are still investigating which conditions would be necessary/sufficient for security.

https://csrc.nist.gov/Projects/Lightweight-Cryptography.

E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, Dec 7–11, (Springer, Heidelberg, Germany, Kaoshiung, Taiwan, R.O.C., 2014), pp. 105–125

K. Aoki, K. Yasuda, The security of the OCB mode of operation without the SPRP assumption, in Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, Oct 23–25, (Springer, Heidelberg, Germany, Melaka, Malaysia, 2013), pp. 202–220

T. Ashur, O. Dunkelman, A. Luykx, Boosting authenticated encryption robustness with minimal modifications, in Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, Aug 20–24, 2017 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 2017), pp. 3–33

Z. Bao, J. Guo, T. Iwata, K. Minematsu, ZOCB and ZOTR: Tweakable blockcipher modes for authenticated encryption with full absorption. IACR Trans. Symm. Cryptol. 2019(2), 1–54 (2019)

M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS, Oct 19–22 (IEEE Computer Society Press, Miami Beach, Florida, 1997), pp. 394–403

M. Bellare, P. Rogaway, D. Wagner, The EAX mode of operation, in Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, Feb 5–7, (Springer, Heidelberg, Germany, New Delhi, India, 2004), pp. 389–407

T. Beyne, Y.L. Chen, C. Dobraunig, B. Mennink, Elephant. Tech. rep., National Institute of Standards and Technology (2019), https://csrc.nist.gov/Projects/lightweight-cryptography/round-2-candidates

J. Black, M. Cochran, MAC reforgeability, in Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, Feb 22–25 (Springer, Heidelberg, Germany, Leuven, Belgium, 2009), pp. 345–362

J. Black, P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, in Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, Apr 28 – May 2 (Springer, Heidelberg, Germany, Amsterdam, The Netherlands, 2002), pp. 384–397

10.

R. Bost, O. Sanders, Trick or tweak: On the (in)security of OTR’s tweaks, in Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, Dec 4–8 (Springer, Heidelberg, Germany, Hanoi, Vietnam, 2016), pp. 333–353

11.

P. Donescu, V.D. Gligor, D. Wagner, A note on NSA’s Dual Counter Mode of encryption (2001), http://www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps

12.

N. Ferguson, Collision attacks on OCB. Comments to NIST (2002), https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/general-comments/papers/Ferguson.pdf

13.

C. Forler, E. List, S. Lucks, J. Wenzel, Reforgeability of authenticated encryption schemes, in Pieprzyk, J., Suriadi, S. (eds.) ACISP 17, Part II. LNCS, vol. 10343, Jul 3–5 (Springer, Heidelberg, Germany, Auckland, New Zealand, 2017), pp. 19–37

14.

R. Granger, P. Jovanovic, B. Mennink, S. Neves, Improved masking for tweakable blockciphers with applications to authenticated encryption, in Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, May 8–12 (Springer, Heidelberg, Germany, Vienna, Austria, 2016), pp. 263–293

15.

A. Inoue, T. Iwata, K. Minematsu, B. Poettering, Cryptanalysis of OCB2: Attacks on authenticity and confidentiality, in Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, Aug 18–22 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 2019), pp. 3–31

16.

A. Inoue, T. Iwata, K. Minematsu, B. Poettering, Cryptanalysis of OCB2: Attacks on authenticity and confidentiality. Cryptology ePrint Archive, Report 2019/311 (2019), https://eprint.iacr.org/2019/311

17.

A. Inoue, K. Minematsu, Cryptanalysis of OCB2. Cryptology ePrint Archive, Report 2018/1040 (2018), https://eprint.iacr.org/2018/1040

18.

A. Inoue, K. Minematsu, Parallelizable authenticated encryption with small state size, in Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, Aug 12–16 (Springer, Heidelberg, Germany, Waterloo, ON, Canada, 2019), pp. 618–644

19.

ISO: Information Technology—Security techniques—Authenticated encryption, ISO/IEC 19772:2009. International Standard ISO/IEC 19772 (2009)

20.

ISO/IEC JTC 1/SC 27: STATEMENT ON OCB2.0—Major weakness found in a standardised cipher scheme (2019-01-09, press release), https://www.din.de/blob/321470/da3d9bce7116deb510f6aded2ed0b4df/20190107-press-release-19772-2009-1st-ed-ocb2-0-data.pdf

21.

T. Iwata, Plaintext recovery attack of OCB2. Cryptology ePrint Archive, Report 2018/1090 (2018), https://eprint.iacr.org/2018/1090

22.

T. Iwata, K. Kurosawa, OMAC: One-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, Feb 24–26 (Springer, Heidelberg, Germany, Lund, Sweden, 2003), pp. 129–153

23.

T. Iwata, K. Ohashi, K. Minematsu, Breaking and repairing GCM security proofs, in Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, Aug 19–23 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 2012), pp. 31–49

24.

T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, Feb 13–16 (Springer, Heidelberg, Germany, Lyngby, Denmark, 2011), pp. 306–327

25.

T. Krovetz, P. Rogaway, The OCB Authenticated-Encryption Algorithm. IRTF RFC 7253 (2014)

26.

M. Liskov, R.L. Rivest, D. Wagner, Tweakable block ciphers, in Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, Aug 18–22 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 2002), pp. 31–46

27.

B. Mennink, XPX: Generalized tweakable Even-Mansour with improved security guarantees, in Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, Aug 14–18 (Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 2016), pp. 64–94

28.

K. Minematsu, Parallelizable rate-1 authenticated encryption from pseudorandom functions, in Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, May 11–15 (Springer, Heidelberg, Germany, Copenhagen, Denmark, 2014), pp. 275–292

29.

K. Minematsu, S. Lucks, H. Morita, T. Iwata, Attacks and security proofs of EAX-prime, in Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, Mar 11–13 (Springer, Heidelberg, Germany, Singapore, 2014), pp. 327–347

30.

K. Minematsu, T. Matsushima, Generalization and Extension of \(\text{XEX}^{*}\) Mode. IEICE Transactions 92-A(2), 517–524 (2009)

31.

M. Nandi, Forging attacks on two authenticated encryption schemes COBRA and POET, in Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, Dec 7–11 (Springer, Heidelberg, Germany, Kaoshiung, Taiwan, R.O.C., 2014), pp. 126–140

32.

B. Poettering, Breaking the confidentiality of OCB2. Cryptology ePrint Archive, Report 2018/1087 (2018), https://eprint.iacr.org/2018/1087

33.

B. Poettering, P. Rösler, Combiners for AEAD. IACR Trans. Symm. Cryptol. 2020(1), 121–143 (2020), https://doi.org/10.13154/tosc.v2020.i1.121-143

34.

P. Rogaway, Authenticated-encryption with associated-data, in Atluri, V. (ed.) ACM CCS 2002, Nov 18–22 (ACM Press, Washington, DC, USA, 2002), pp. 98–107

35.

P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, Dec 5–9 (Springer, Heidelberg, Germany, Jeju Island, Korea, 2004), pp. 16–31

36.

P., Rogaway, Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Full version of [35] (2004), http://www.cs.ucdavis.edu/~rogaway/papers/

37.

P. Rogaway, Nonce-based symmetric encryption, in Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, Feb 5–7 (Springer, Heidelberg, Germany, New Delhi, India, 2004), pp. 348–359

38.

P. Rogaway, On the Role Definitions in and Beyond Cryptography, in Maher M.J. (ed.) Advances in Computer Science - ASIAN 2004. Higher-Level Decision Making. ASIAN 2004. Lecture Notes in Computer Science, vol. 3321, (Springer, Berlin, Heidelberg, 2004)

39.

P. Rogaway, M. Bellare, J. Black, T. Krovetz, OCB: A block-cipher mode of operation for efficient authenticated encryption, in Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, Nov 5–8 (ACM Press, Philadelphia, PA, USA, 2001), pp. 196–205

40.

Y. Sasaki, Y. Todo, K. Aoki, Y. Naito, T. Sugawara, Y. Murakami, M. Matsui, S. Hirose, Minalpher (A submission to CAESAR), https://info.isl.ntt.co.jp/crypt/minalpher/files/minalpherv11.pdf

41.

W. Schroé, B. Mennink, E. Andreeva, B. Preneel, Forgery and subkey recovery on CAESAR candidate iFeed, in Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, Aug 12–14 (Springer, Heidelberg, Germany, Sackville, NB, Canada, 2016), pp. 197–204

42.

Z. Sun, P. Wang, L. Zhang, Collision attacks on variant of OCB mode and its series, in Inscrypt. LNCS, vol. 7763 (Springer, 2012), pp. 216–224

43.

S. Vaudenay, D. Vizár, Can Caesar beat Galois? - Robustness of CAESAR candidates against nonce reusing and high data complexity attacks, in Preneel, B., Vercauteren, F. (eds.) ACNS 18. LNCS, vol. 10892, Jul 2–4 (Springer, Heidelberg, Germany, Leuven, Belgium, 2018), pp. 476–494

Title: Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality
Authors: Akiko Inoue
Tetsu Iwata
Kazuhiko Minematsu
Bertram Poettering
Publication date: 29-06-2020
Publisher: Springer US
Published in: Journal of Cryptology / Issue 4/2020
Print ISSN: 0933-2790
Electronic ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-020-09359-8

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2020

Foundations of Fully Dynamic Group Signatures

Joint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation

Low Cost Constant Round MPC Combining BMR and Oblivious Transfer

Non-malleable Encryption: Simpler, Shorter, Stronger

Efficient Verifiable Delay Functions

Fast Multi-precision Multiplication for Public-Key Cryptography on Embedded Microprocessors

Premium Partner