Paper 2016/1059

The INT-RUP Security of OCB with Intermediate (Parity) Checksum

Ping Zhang, Peng Wang, and Honggang Hu

Abstract

OCB is neither integrity under releasing unvieried plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modied schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune" approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations).

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
OCBINT-RUPnonce-misusechecksumMTPRPprove- then-prune
Contact author(s)
zgp @ mail ustc edu cn
History
2016-11-15: received
Short URL
https://ia.cr/2016/1059
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/1059,
      author = {Ping Zhang and Peng Wang and Honggang Hu},
      title = {The {INT}-{RUP} Security of {OCB} with Intermediate (Parity) Checksum},
      howpublished = {Cryptology {ePrint} Archive, Paper 2016/1059},
      year = {2016},
      url = {https://eprint.iacr.org/2016/1059}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.