Paper 2016/1059
The INT-RUP Security of OCB with Intermediate (Parity) Checksum
Ping Zhang, Peng Wang, and Honggang Hu
Abstract
OCB is neither integrity under releasing unvieried plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modied schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune" approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations).
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint.
- Keywords
- OCBINT-RUPnonce-misusechecksumMTPRPprove- then-prune
- Contact author(s)
- zgp @ mail ustc edu cn
- History
- 2016-11-15: received
- Short URL
- https://ia.cr/2016/1059
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/1059,
author = {Ping Zhang and Peng Wang and Honggang Hu},
title = {The {INT}-{RUP} Security of {OCB} with Intermediate (Parity) Checksum},
howpublished = {Cryptology {ePrint} Archive, Paper 2016/1059},
year = {2016},
url = {https://eprint.iacr.org/2016/1059}
}