Paper 2023/326

A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Jean Liénardy, Royal Military Academy
Frédéric Lafitte, Royal Military Academy
Abstract

OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonce. Different ways to fix the mode are presented.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Information Processing Letters
Keywords
OCB3Authenticated EncryptionForgeryPlaintext recovery
Contact author(s)
jean lienardy @ mil be
frederic lafitte @ mil be
History
2023-03-06: approved
2023-03-06: received
See all versions
Short URL
https://ia.cr/2023/326
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/326,
      author = {Jean Liénardy and Frédéric Lafitte},
      title = {A weakness in {OCB3} used with short nonces allowing for a break of authenticity and confidentiality},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/326},
      year = {2023},
      url = {https://eprint.iacr.org/2023/326}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.