Paper 2018/1040

Cryptanalysis of OCB2

Akiko Inoue and Kazuhiko Minematsu


We present practical attacks against OCB2, an ISO-standard authenticated encryption (AE) scheme. OCB2 is a highly-efficient blockcipher mode of operation. It has been extensively studied and widely believed to be secure thanks to the provable security proofs. Our attacks allow the adversary to create forgeries with single encryption query of almost-known plaintext. This attack can be further extended to powerful almost-universal and universal forgeries using more queries. The source of our attacks is the way OCB2 implements AE using a tweakable blockcipher, called XEX*. We have verified our attacks using a reference code of OCB2. Our attacks do not break the privacy of OCB2, and are not applicable to the others, including OCB1 and OCB3.

Note: Add a section of universal forgery attack.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
OCBAuthenticated EncryptionCryptanalysisForgeryXEX
Contact author(s)
k-minematsu @ ah jp nec com
2018-11-11: last of 2 revisions
2018-10-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Akiko Inoue and Kazuhiko Minematsu},
      title = {Cryptanalysis of OCB2},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1040},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.