Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

Inoue, Akiko; Iwata, Tetsu; Minematsu, Kazuhiko; Poettering, Bertram

doi:10.1007/s00145-020-09359-8

Cited by 16 publications

(34 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also remark that the recent attacks on OCB2 by Inoue et al [IIMP19] is also not applicable against LOCUS. Basically, their attack exploits a flaw in the last block processing of OCB2.…”

Section: Some Remarks On Generic Cryptanalysis On Locus and Lotusmentioning

confidence: 79%

INT-RUP Secure Lightweight Parallel AE Modes

Chakraborti

Datta

Jha

et al. 2020

ToSC

View full text Add to dashboard Cite

Owing to the growing demand for lightweight cryptographic solutions, NIST has initiated a standardization process for lightweight cryptographic algorithms. Specific to authenticated encryption (AE), the NIST draft demands that the scheme should have one primary member that has key length of 128 bits, and it should be secure for at least 250 − 1 byte queries and 2112 computations. Popular (lightweight) modes, such as OCB, OTR, CLOC, SILC, JAMBU, COFB, SAEB, Beetle, SUNDAE etc., require at least 128-bit primitives to meet the NIST criteria, as all of them are just birthday bound secure. Furthermore, most of them are sequential, and they either use a two pass mode or they do not offer any security when the adversary has access to unverified plaintext (RUP model). In this paper, we propose two new designs for lightweight AE modes, called LOCUS and LOTUS, structurally similar to OCB and OTR, respectively. These modes achieve notably higher AE security bounds with lighter primitives (only a 64-bit tweakable block cipher). Especially, they satisfy the NIST requirements: secure as long as the data complexity is less than 264 bytes and time complexity is less than 2128, even when instantiated with a primitive with 64-bit block and 128-bit key. Both these modes are fully parallelizable and provide full integrity security under the RUP model. We use TweGIFT-64[4,16,16,4] (also referred as TweGIFT-64), a tweakable variant of the GIFT block cipher, to instantiate our AE modes. TweGIFT-64-LOCUS and TweGIFT-64-LOTUS are significantly light in hardware implementation. To justify, we provide our FPGA based implementation results, which demonstrate that TweGIFT-64-LOCUS consumes only 257 slices and 690 LUTs, while TweGIFT-64-LOTUS consumes only 255 slices and 664 LUTs.

show abstract

“…We also remark that the recent attacks on OCB2 by Inoue et al [IIMP19] is also not applicable against LOCUS. Basically, their attack exploits a flaw in the last block processing of OCB2.…”

Section: Some Remarks On Generic Cryptanalysis On Locus and Lotusmentioning

confidence: 79%

INT-RUP Secure Lightweight Parallel AE Modes

Chakraborti

Datta

Jha

et al. 2020

ToSC

View full text Add to dashboard Cite

show abstract

“…All these results clearly show the importance of cryptanalysis work against modes of operation, even when the attacks do not contradict the proofs. In addition, this type of work sometimes detects mistakes in the proofs, as shown with GCM [15] and OCB2 [14].…”

Section: Related Workmentioning

confidence: 99%

Universal Forgery Attack Against GCM-RUP

Li¹,

Leurent²,

Wang³

et al. 2020

Topics in Cryptology – CT-RSA 2020

View full text Add to dashboard Cite

Authenticated encryption (AE) schemes are widely used to secure communications because they can guarantee both confidentiality and authenticity of a message. In addition to the standard AE security notion, some recent schemes offer extra robustness, i.e. they maintain security in some misuse scenarios. In particular, Ashur, Dunkelman and Luykx proposed a generic AE construction at CRYPTO'17 that is secure even when releasing unverified plaintext (the RUP setting), and a concrete instantiation, GCM-RUP. The designers proved that GCM-RUP is secure up to the birthday bound in the nonce-respecting model. In this paper, we perform a birthday-bound universal forgery attack against GCM-RUP, matching the bound of the proof. While there are simple distinguishing attacks with birthday complexity on GCM-RUP, our attack is much stronger: we have a partial key recovery leading to universal forgeries. For reference, the best known universal forgery attack against GCM requires 2 2n/3 operations, and many schemes do not have any known universal forgery attacks faster than 2 n. This suggests that GCM-RUP offers a different security trade-off than GCM: stronger protection in the RUP setting, but more fragile when the data complexity reaches the birthday bound. In order to avoid this attack, we suggest a minor modification of GCM-RUP that seems to offer better robustness at the birthday bound.

show abstract

“…This also holds for AEAD designs, where it seems fair to say that the high level of integration that the most efficient blockcipher-based schemes feature also makes the schemes challenging to fully comprehend and surround on a formal level. A prime example of where the security argument of an intricate AEAD scheme turned out to be fatally flawed, and this went unnoticed for a rather long period of time, is given by the recent results on OCB2 that completely broke the scheme [IIMP19]. There are several similar cases to report on, including the flawed EAX' scheme [MLMI14], a flawed argument in the security proof of GCM [IOM12], and flaws in some of the CAESAR submissions [Nan14,BS16,SMAP16].…”

Section: Motivation For Aead Combinersmentioning

confidence: 99%

“…That is, encryption and integrity protection of the message are conducted independently of the associated data. Examples where this technique is used include EAX [BRW04] and the OCB family (OCB3 [KR11] and the insecure OCB2 [Rog04,IIMP19]).…”

Section: Ciphertext Translation Based Aeadmentioning

confidence: 99%

Combiners for AEAD

Poettering¹,

Rösler²

2020

ToSC

Self Cite

View full text Add to dashboard Cite

The Authenticated Encryption with Associated Data (AEAD) primitive, which integrates confidentiality and integrity services under a single roof, found wide-spread adoption in industry and became indispensable in practical protocol design. Recognizing this, academic research put forward a large number of candidate constructions, many of which come with provable security guarantees. Nevertheless, the recent past has shaken up with the discovery of vulnerabilities, some of them fatal, in well-regarded schemes, stemming from weak underlying primitives, flawed security arguments, implementation-level vulnerabilities, and so on. Simply reacting to such findings by replacing broken candidates by better(?) ones is in many cases unduly, costly, and sometimes just impossible. On the other hand, as attack techniques and opportunities change over time, it seems venturous to propose any specific scheme if the intended lifetime of its application is, say, twenty years.In this work we study a workable approach towards increasing the resilience against unforeseen breaks of AEAD primitives. Precisely, we consider the ability to combine two AEAD schemes into one such that the resulting AEAD scheme is secure as long as at least one of its components is (or: as long as at most one component is broken). We propose a series of such combiners, some of which work with fully generic AEAD components while others assume specific internal structures of the latter (like an encrypt-then-MAC design). We complement our results by proving the optimality of our constructions by showing the impossibility of combiners that get along with less invocations of the component algorithms.

show abstract

Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality

Cited by 16 publications

References 28 publications

INT-RUP Secure Lightweight Parallel AE Modes

INT-RUP Secure Lightweight Parallel AE Modes

Universal Forgery Attack Against GCM-RUP

Combiners for AEAD

Contact Info

Product

Resources

About