Cryptology ePrint Archive: Report 2018/1040

Cryptanalysis of OCB2

Akiko Inoue and Kazuhiko Minematsu

Abstract: We present practical attacks against OCB2, an ISO-standard authenticated encryption (AE) scheme. OCB2 is a highly-efficient blockcipher mode of operation. It has been extensively studied and widely believed to be secure thanks to the provable security proofs. Our attacks allow the adversary to create forgeries with single encryption query of almost-known plaintext. This attack can be further extended to powerful almost-universal and universal forgeries using more queries. The source of our attacks is the way OCB2 implements AE using a tweakable blockcipher, called XEX*. We have verified our attacks using a reference code of OCB2. Our attacks do not break the privacy of OCB2, and are not applicable to the others, including OCB1 and OCB3.

Category / Keywords: secret-key cryptography / OCB, Authenticated Encryption, Cryptanalysis, Forgery, XEX

Date: received 26 Oct 2018, last revised 11 Nov 2018

Contact author: k-minematsu at ah jp nec com

Available format(s): PDF | BibTeX Citation

Note: Add a section of universal forgery attack.

Version: 20181111:142517 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]