Advertisement

Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

  • Akiko InoueEmail author
  • Tetsu Iwata
  • Kazuhiko MinematsuEmail author
  • Bertram Poettering
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11692)

Abstract

We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably-secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009.

An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in \( \text {XEX} ^*\) mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2’s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. To our understanding, as a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary.

Keywords

OCB2 Authenticated encryption Cryptanalysis Forgery Plaintext recovery XEX 

Notes

Acknowledgements

The authors would like to thank Phil Rogaway for his response to our findings, and officials of ISO SC 27 for feedback and suggestions. We also would like to thank the reviewers of CRYPTO 2019 for useful comments.

Supplementary material

References

  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_6CrossRefzbMATHGoogle Scholar
  2. 2.
    Aoki, K., Yasuda, K.: The security of the OCB mode of operation without the SPRP assumption. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 202–220. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-41227-1_12CrossRefzbMATHGoogle Scholar
  3. 3.
    Ashur, T., Dunkelman, O., Luykx, A.: Boosting authenticated encryption robustness with minimal modifications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 3–33. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_1CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press, Miami Beach, 19–22 October 1997.  https://doi.org/10.1109/SFCS.1997.646128
  5. 5.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_25CrossRefGoogle Scholar
  6. 6.
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_21CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_25CrossRefGoogle Scholar
  8. 8.
    Bost, R., Sanders, O.: Trick or tweak: on the (In)security of OTR’s tweaks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 333–353. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_12CrossRefzbMATHGoogle Scholar
  9. 9.
    Donescu, P., Gligor, V.D., Wagner, D.: A Note on NSA’s Dual Counter Mode of Encryption (2001). http://www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps/
  10. 10.
  11. 11.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of authenticated encryption schemes. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017, Part II. LNCS, vol. 10343, pp. 19–37. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_2CrossRefGoogle Scholar
  12. 12.
    Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_11CrossRefGoogle Scholar
  13. 13.
    Inoue, A., Iwata, T., Minematsu, K., Poettering, B.: Cryptanalysis of OCB2: Attacks on authenticity and confidentiality. IACR Cryptology ePrint Archive 2019, 311 (2019). https://eprint.iacr.org/2019/311
  14. 14.
    Inoue, A., Minematsu, K.: Cryptanalysis of OCB2. IACR Cryptology ePrint Archive 2018, 1040 (2018). https://eprint.iacr.org/2018/1040
  15. 15.
    ISO: Information Technology - Security techniques - Authenticated encryption, ISO/IEC 19772:2009. International Standard ISO/IEC 19772 (2009)Google Scholar
  16. 16.
    ISO/IEC JTC 1/SC 27: STATEMENT ON OCB2.0 - Major weakness found in a standardised cipher scheme 09 January 2019, press release. https://www.din.de/blob/321470/da3d9bce7116deb510f6aded2ed0b4df/20190107-press-release-19772-2009-1st-ed-ocb2-0-data.pdf
  17. 17.
    Iwata, T.: Plaintext Recovery Attack of OCB2. IACR Cryptology ePrint Archive 2018, 1090 (2018). https://eprint.iacr.org/2018/1090
  18. 18.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-39887-5_11CrossRefGoogle Scholar
  19. 19.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_3CrossRefGoogle Scholar
  20. 20.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_18CrossRefzbMATHGoogle Scholar
  21. 21.
    Krovetz, T., Rogaway, P.: The OCB Authenticated-Encryption Algorithm. IRTF RFC 7253 (2014)Google Scholar
  22. 22.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_3CrossRefGoogle Scholar
  23. 23.
    Mennink, B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 64–94. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_3CrossRefGoogle Scholar
  24. 24.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_16CrossRefGoogle Scholar
  25. 25.
    Minematsu, K., Lucks, S., Morita, H., Iwata, T.: Attacks and security proofs of EAX-prime. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 327–347. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_17CrossRefGoogle Scholar
  26. 26.
    Minematsu, K., Matsushima, T.: Generalization and Extension of XEX\({}^{\text{* }}\) Mode. IEICE Trans. 92–A(2), 517–524 (2009)CrossRefGoogle Scholar
  27. 27.
    Nandi, M.: Forging attacks on two authenticated encryption schemes COBRA and POET. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 126–140. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_7CrossRefGoogle Scholar
  28. 28.
    Poettering, B.: Breaking the confidentiality of OCB2. IACR Cryptology ePrint Archive 2018, 1087 (2018). https://eprint.iacr.org/2018/1087
  29. 29.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, Washington, DC, 18–22 November 2002.  https://doi.org/10.1145/586110.586125
  30. 30.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30539-2_2CrossRefGoogle Scholar
  31. 31.
    Rogaway, P.: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Full version of [30] (2004). http://www.cs.ucdavis.edu/~rogaway/papers/CrossRefGoogle Scholar
  32. 32.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_22CrossRefzbMATHGoogle Scholar
  33. 33.
    Rogaway, P.: On the role definitions in and beyond cryptography. In: Maher, M.J. (ed.) ASIAN 2004. LNCS, vol. 3321, pp. 13–32. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30502-6_2CrossRefGoogle Scholar
  34. 34.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 196–205. ACM Press, Philadelphia, 5–8 November 2001.  https://doi.org/10.1145/501983.502011
  35. 35.
    Schroé, W., Mennink, B., Andreeva, E., Preneel, B.: Forgery and Subkey recovery on CAESAR candidate iFeed. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 197–204. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31301-6_11CrossRefGoogle Scholar
  36. 36.
    Sun, Z., Wang, P., Zhang, L.: Collision attacks on variant of OCB mode and its series. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 216–224. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38519-3_14CrossRefGoogle Scholar
  37. 37.
    Vaudenay, S., Vizár, D.: Can caesar beat galois? In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 476–494. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-93387-0_25CrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.NEC CorporationKawasakiJapan
  2. 2.Nagoya UniversityNagoyaJapan
  3. 3.Royal Holloway, University of LondonLondonUK
  4. 4.IBM Research ZurichZurichSwitzerland

Personalised recommendations