Cryptology ePrint Archive: Report 2016/1059

The INT-RUP Security of OCB with Intermediate (Parity) Checksum

Ping Zhang, Peng Wang, and Honggang Hu

Abstract: OCB is neither integrity under releasing unvieri ed plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modi ed schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune" approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations).

Category / Keywords: secret-key cryptography / OCB, INT-RUP, nonce-misuse, checksum, MTPRP, prove- then-prune

Date: received 10 Nov 2016

Contact author: zgp at mail ustc edu cn

Available format(s): PDF | BibTeX Citation

Version: 20161115:150015 (All versions of this report)

Short URL: ia.cr/2016/1059

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]