Cryptology ePrint Archive: Report 2019/311

Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

Akiko Inoue and Tetsu Iwata and Kazuhiko Minematsu and Bertram Poettering

Abstract: We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably-secure authenticated encryption services, and since its proposal about 15~years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009.

An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in XEX$^\ast$ mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2's security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. As a direct consequence of our findings, OCB2 was removed from ISO standards in 2019.

Our privacy attacks on OCB2 require an active adversary and are not applicable to the related schemes OCB1 and OCB3.

Category / Keywords: secret-key cryptography / OCB2, Authenticated Encryption, Cryptanalysis, Forgery, Plaintext Recovery, XEX

Original Publication (with minor differences): IACR-CRYPTO-2019

Date: received 19 Mar 2019, last revised 21 Jun 2019

Contact author: a-inoue at cj jp nec com,k-minematsu@ah jp nec com,tetsu iwata@nagoya-u jp,bertram poettering@rhul ac uk

Available format(s): PDF | BibTeX Citation

Note: This report is an edited amalgamation of three eprint reports by different groups of authors that appeared in Autumn 2018 in reports 2018/1040, 2018/1087, and 2018/1090.

Version: 20190621:141413 (All versions of this report)

Short URL: ia.cr/2019/311


[ Cryptology ePrint archive ]