A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Jean Liénardy; Frédéric Lafitte

doi:10.1016/j.ipl.2023.106404

A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Jean Liénardy, Frédéric Lafitte

Applied Crypto Expertise

Publikation: Beitrag in Fachzeitschrift › Artikel › Begutachtung

Abstract

OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonces. Different ways to fix the mode are presented.

Originalsprache	Englisch
Aufsatznummer	106404
Fachzeitschrift	Information Processing Letters
Jahrgang	183
DOIs	https://doi.org/10.1016/j.ipl.2023.106404
Publikationsstatus	Veröffentlicht - Jan. 2024

Zugriff auf Dokument

10.1016/j.ipl.2023.106404

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

OCB 1, 2, 3: the good, the bad and the ugly (EuroCrypt 2023 rump session)
Liénardy, J. (Eröffnungsredner)
25 Apr. 2023
Aktivität: Gespräch oder Vortrag › Vortrag

Dieses zitieren

@article{ed1628b5275340fc82433b299408d447,

title = "A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality",

abstract = "OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonces. Different ways to fix the mode are presented.",

keywords = "Authenticated encryption, Cryptography, Forgery, OCB3, Plaintext recovery",

author = "Jean Li{\'e}nardy and Fr{\'e}d{\'e}ric Lafitte",

note = "Publisher Copyright: {\textcopyright} 2023 Elsevier B.V.",

year = "2024",

month = jan,

doi = "10.1016/j.ipl.2023.106404",

language = "English",

volume = "183",

journal = "Information Processing Letters",

issn = "0020-0190",

}

TY - JOUR

T1 - A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

AU - Liénardy, Jean

AU - Lafitte, Frédéric

PY - 2024/1

Y1 - 2024/1

N2 - OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonces. Different ways to fix the mode are presented.

AB - OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonces. Different ways to fix the mode are presented.

KW - Authenticated encryption

KW - Cryptography

KW - Forgery

KW - OCB3

KW - Plaintext recovery

UR - http://www.scopus.com/inward/record.url?scp=85159462901&partnerID=8YFLogxK

U2 - 10.1016/j.ipl.2023.106404

DO - 10.1016/j.ipl.2023.106404

M3 - Article

AN - SCOPUS:85159462901

SN - 0020-0190

VL - 183

JO - Information Processing Letters

JF - Information Processing Letters

M1 - 106404

ER -

A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Abstract

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Aktivitäten

OCB 1, 2, 3: the good, the bad and the ugly (EuroCrypt 2023 rump session)

Dieses zitieren