Paper 2018/1090

Plaintext Recovery Attack of OCB2

Tetsu Iwata


Inoue and Minematsu [Cryptology ePrint Archive: Report 2018/1040] presented efficient forgery attacks against OCB2, and Poettering [Cryptology ePrint Archive: Report 2018/1087] presented a distinguishing attack. In this short note, based on these results, we show a plaintext recovery attack against OCB2 in the chosen plaintext and ciphertext setting. We also show that the decryption oracle of the underlying block cipher can be simulated. This complements the simulation of the encryption oracle of the block cipher by Poettering in [Cryptology ePrint Archive: Report 2018/1087].

Note: See [Cryptology ePrint Archive: Report 2019/311] that appeared on March 20, 2019, which is a joint report that includes the findings of [Cryptology ePrint Archive: Report 2018/1040] (by Inoue and Minematsu), [Cryptology ePrint Archive: Report 2018/1087] (by Poettering), and this report.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
OCB2plaintext recovery attackchosen plaintext and ciphertext setting
Contact author(s)
tetsu iwata @ nagoya-u jp
2019-03-21: last of 3 revisions
2018-11-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Tetsu Iwata},
      title = {Plaintext Recovery Attack of OCB2},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1090},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.