Paper 2024/1527

How to Recover the Full Plaintext of XCB

Peng Wang, School of Cryptology, University of Chinese Academy of Sciences
Shuping Mao, Beijing Electronic Science & Technology Institute
Ruozhou Xu, State Grid Information & Telecommunication Branch
Jiwu Jing, School of Cryptology, University of Chinese Academy of Sciences
Yuewu Wang, School of Cryptology, University of Chinese Academy of Sciences
Abstract

XCB, a tweakable enciphering mode, is part of IEEE Std. 1619.2 for shared storage media. We show that all versions of XCB are not secure through three plaintext recovery attacks. A key observation is that XCB behaves like an LRW1-type tweakable block cipher for single-block messages, which lacks CCA security. The first attack targets one-block XCB, using three queries to recover the plaintext. The second one requires four queries to recover the plaintext that excludes one block. The last one requires seven queries to recover the full plaintext. The first attack applies to any scheme that follows the XCB structure, whereas the latter two attacks work on all versions of XCB, exploiting the separable property of the underlying universal hash function. We also discuss the impact of these vulnerabilities on XCB-based applications, such as disk encryption, nonce-based encryption, deterministic authenticated encryption and robust authenticated encryption, highlighting the risks due to XCB's failure to achieve STPRP security. To address these flaws, we propose the XCB* structure, an improved version of XCB that adds only two XOR operations. We prove that XCB* is STPRP-secure when using AXU hash functions, SPRPs, and a secure IV-based stream cipher.

Note: We revised the text in response to the recently uploaded paper by Bhati et al. ("Breaking, Repairing and Enhancing XCBv2 into the Tweakable Enciphering Mode GEM," ePrint 2024/1554). In an earlier version, the authors proposed a fixed version called XCBv3, along with a corresponding security proof. However, our attacks showed that XCBv3 is not secure, leading the authors to remove it from their revised paper. For further details, please see Appendix E of their work. In this new version of our paper, we also extend Bhati et al.'s partial plaintext recovery attack to a full plaintext recovery attack on XCBv2fb using only three queries.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
XCBTweakable enciphering modeLRW1CCA
Contact author(s)
p-wang @ ucas ac cn
maoshuping19 @ mails ucas ac cn
xuruozhou21 @ mails ucas ac cn
jwjing @ ucas ac cn
wangyuewu @ ucas ac cn
History
2024-10-09: last of 6 revisions
2024-09-29: received
See all versions
Short URL
https://ia.cr/2024/1527
License
Creative Commons Attribution-NonCommercial-NoDerivs
CC BY-NC-ND

BibTeX

@misc{cryptoeprint:2024/1527,
      author = {Peng Wang and Shuping Mao and Ruozhou Xu and Jiwu Jing and Yuewu Wang},
      title = {How to Recover the Full Plaintext of {XCB}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1527},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1527}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.