Abstract
Offset codebook mode (OCB) provides neither integrity under releasing unverified plaintext (INT-RUP) nor nonce-misuse resistance. The tag of OCB is generated by encrypting a plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new type of structure, called plaintext and ciphertext checksum (PCC), which is a generalization of the plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then, we fix the weakness of PCC and present another new type of structure, called intermediate checksum (IC), to generate the authentication tag. To settle the INT-RUP security of OCB in the nonce-misuse setting, we provide a modified OCB scheme based on IC, called OCB-IC. OCB-IC is proven INT-RUP secure up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). Finally, we present some discussions about OCB-IC.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It includes the following cases: (i) it doesn’t repeat prior queries for each oracle, (ii) the adversary does not ask the decryption oracle \(\mathcal {D}_K(Y)\) or the verification oracle \(\mathcal {V}_K(Y)\) after receiving Y in response to an encryption query \(\mathcal {E}_K(X)\), and (iii) the adversary does not ask the encryption oracle \(\mathcal {E}_K(X)\) after receiving X in response to a decryption query \(\mathcal {D}_K(Y)\).
References
Alomair, B.: Authenticated encryption: how reordering can impact performance. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 84–99. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31284-7_6
AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy, pp. 526–540. IEEE Computer Society (2013)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42033-7_22
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_6
Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_13
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_41
Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-based lightweight authenticated encryption. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 447–466. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_23
Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_34
Chakraborti, A., Datta, N., Nandi, M.: INT-RUP analysis of block-cipher based authenticated encryption schemes. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 39–54. Springer, Cham (2016). doi:10.1007/978-3-319-29485-8_3
Datta, N., Luykx, A., Mennink, B., et al.: Understanding RUP integrity of COLM. IACR Trans. Symmetric Cryptol. 2017(2), 143–161 (2017)
Dworkin, M.J.: Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC. NIST SP 800–38D (2007)
Dworkin, M.J.: Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. NIST SP 800–38C (2004)
Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34047-5_12
Fouque, P.-A., Martinet, G., Valette, F., Zimmer, S.: On the security of the CCM encryption mode and of a slight variant. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 411–428. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68914-0_25
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_11
Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_32
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21702-9_18
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_3
Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_15
Paterson, K.G., AlFardan, N.J.: Plaintext-recovery attacks against datagram TLS. In: NDSS 2012. The Internet Society (2012)
Reyhanitabar, R., Vaudenay, S., Vizár, D.: Authenticated encryption with variable stretch. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 396–425. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53887-6_15
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30539-2_2
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM-CCS 2002, pp. 98–107. ACM (2002)
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM-CCS 2001, pp. 196–205. ACM (2001)
Vaudenay, S.: Security flaws induced by CBC padding — applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_35
Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 185–201. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43414-7_10
Zhang, J., Wu, W.: Security of online AE schemes in RUP setting. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 319–334. Springer, Cham (2016). doi:10.1007/978-3-319-48965-0_19
Acknowledgments
We would like to express our sincere thanks to the editors and the anonymous reviewers for the valuable comments and suggestions. This work was supported by National Natural Science Foundation of China (Grant Nos. 61522210, 61632013, and 61271271), 100 Talents Program of Chinese Academy of Sciences, and Fundamental Research Funds for the Central Universities in China (Grant No. WK2101020005).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix: Blockcipher-based OCB-IC
Appendix: Blockcipher-based OCB-IC
To realize OCB-IC with a tweakable blockcipher \(\widetilde{E}: \mathcal {K}\times \mathcal {T}\times \{0,1\}^n\rightarrow \{0,1\}^n\), where \(\mathcal {T}=\{0,1\}^n\times \mathcal {I}\times \mathcal {J}\) is a tweak space, \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers, we use a conventional block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\) to instantiate OCB-IC[\(\widetilde{E}\)] by the XEX* construction \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\). Overloading the notation, we rewrite this scheme as OCB-IC[E].
The overview of OCB-IC[E] is depicted in Fig. 3. OCB-IC[E] is made up of three algorithms, an encryption algorithm \(\mathcal {E}_K\), a decryption algorithm \(\mathcal {D}_K\), and a verification algorithm \(\mathcal {V}_K\). The detailed description of OCB-IC[E] is shown in Fig. 4. If the underlying block cipher E is a secure strong pseudorandom permutation (SPRP), OCB-IC[E] is proven INT-RUP security up to the birthday bound in the nonce-misuse setting.
Theorem 4
(INT-RUP Security of OCB-IC with a Block Cipher). Fix a block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\) and a tweakable blockcipher \(\widetilde{E}: \mathcal {K} \times \mathcal {T}\times \{0, 1\}^n\rightarrow \{0, 1\}^n\), where \(\mathcal {T}=\{0,1\}^n\times \mathcal {I}\times \mathcal {J}\) is a tweak space, \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers. Assume \(2^i3^j\ne 1\) for all \((i,j)\in \mathcal {I}\times \mathcal {J}\). Let \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\), \(\mathcal {A}\) be a nonce-misusing adversary, then we have
where a new adversary \(\mathcal {B}\) has an additional running time equal to the time needed to process the queries from \(\mathcal {A}\).
Proof Sketch: We introduce dummy masks \(\{2L,2^2L,\cdots ,2^l\cdot L,2^l\cdot 3L\}\) to rewrite OCB-IC[E] in terms of the XEX* construction, where \(L=E_K(N)\). By Lemma , OCB-IC[E] can be replaced with OCB-IC[\(\widetilde{E}\)]. Such a replacement costs us
Therefore, combining with Theorem 3, we can easily obtain the bound of INT-RUP on OCB-IC[E].
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhang, P., Wang, P., Hu, H., Cheng, C., Kuai, W. (2017). INT-RUP Security of Checksum-Based Authenticated Encryption. In: Okamoto, T., Yu, Y., Au, M., Li, Y. (eds) Provable Security. ProvSec 2017. Lecture Notes in Computer Science(), vol 10592. Springer, Cham. https://doi.org/10.1007/978-3-319-68637-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-68637-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68636-3
Online ISBN: 978-3-319-68637-0
eBook Packages: Computer ScienceComputer Science (R0)