OCB mode

Last updated

Offset codebook mode (OCB mode) is an authenticated encryption mode of operation for cryptographic block ciphers. [1] [2] OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla. The OCB2 version was proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

Contents

Encryption and authentication

OCB mode was designed to provide both message authentication and privacy. It is essentially a scheme for integrating a message authentication code (MAC) into the operation of a block cipher. In this way, OCB mode avoids the need to use two systems: a MAC for authentication and encryption for confidentiality. This results in lower computational cost compared to using separate encryption and authentication functions.

There are three versions of OCB: OCB1, OCB2 and OCB3. OCB1 was published in 2001. OCB2 improves on OCB1 by allowing associated data to be included with the message, providing authenticated encryption with associated data (AEAD; that is, data that are not encrypted but should be authenticated) and a new method for generating a sequence of offsets. OCB2 was first published in 2003, originally named authenticated-encryption mode, or advanced encryption mode (AEM) and was shown to be completely insecure in 2019. OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements.

OCB2 was standardized in ISO/IEC 19772:2009 [3] (although it was removed from the standard following the publication of the attack) and a modified OCB3 in RFC 7253. [4] The RFC encodes the tag length into the internally formatted nonce.

Performance

OCB performance overhead is minimal compared to classical, non-authenticating modes like cipher block chaining. OCB requires one block cipher operation per block of encrypted and authenticated message, and one block cipher operation per block of associated data. There is also one extra block cipher operation required at the end of process.

For comparison, CCM mode offering similar functionality requires twice as many block cipher operations per message block (associated data requires one, as in OCB).

Patents

While OCB is now public domain, Rogaway initially patented OCB mode so that they could charge for commercial licenses and in attempt to stop their work showing up in military-related projects. [5] Rogaway intentionally abandoned their OCB patents in 2021. [6]

Two U.S. patents were issued for OCB mode. [7] The patents have hindered approval by the National Institute of Standards and Technology.[ citation needed ]

While OCB mode was patented, Rogaway made three licenses available to allow OCB mode to be freely used in software licensed under the GNU General Public License (later any open source license certified by the Open Source Initiative [8] ), non-commercial non-military projects, and in OpenSSL.

Since Rogaway only applied for patent protection in the U.S., the algorithm has always been free to use in software not developed and not sold inside the U.S. [9]

Attacks

Niels Ferguson pointed out collision attacks on OCB, which limits the amount of data that can be securely processed under a single key to about 280 terabytes. [10] [11]

In October 2018, Inoue and Minematsu presented an existential forgery attack against OCB2 that requires only a single prior encryption query and almost no computational power or storage. [12] The attack does not extend to OCB1 or OCB3, and it requires that the associated data field of the forged ciphertext be empty. Poettering [13] and Iwata [14] improved the forgery attack to a full plaintext recovery attack just a couple of days later. The four authors later produced a joint report. [15]

See also

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext , it is possible to generate another ciphertext which decrypts to , for a known function , without necessarily knowing or learning .

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Articles related to cryptography include:

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

<span class="mw-page-title-main">DES-X</span> Block cipher

In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack. The technique used to increase the complexity is called key whitening.

In cryptography, the Cellular Message Encryption Algorithm (CMEA) is a block cipher which was used for securing mobile phones in the United States. CMEA is one of four cryptographic primitives specified in a Telecommunications Industry Association (TIA) standard, and is designed to encrypt the control channel, rather than the voice data. In 1997, a group of cryptographers published attacks on the cipher showing it had several weaknesses which give it a trivial effective strength of a 24-bit to 32-bit cipher. Some accusations were made that the NSA had pressured the original designers into crippling CMEA, but the NSA has denied any role in the design or selection of the algorithm. The ECMEA and SCEMA ciphers are derived from CMEA.

CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

<span class="mw-page-title-main">CBC-MAC</span> Message authentication code algorithm

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code (MAC) from a block cipher. The message is encrypted with some block cipher algorithm in cipher block chaining (CBC) mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

EAX mode (encrypt-then-authenticate-then-translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

Integrity-aware parallelizable mode (IAPM) is a mode of operation for cryptographic block ciphers. As its name implies, it allows for a parallel mode of operation for higher throughput.

References

  1. Ted Krovetz, Phillip Rogaway (July 23, 2012). "The OCB Authenticated-Encryption Algorithm" . Retrieved May 28, 2012.
  2. Phillip Rogaway. "OCB Mode" . Retrieved May 28, 2012.
  3. "ISO/IEC 19772:2009 Information technology -- Security techniques -- Authenticated encryption". ISO. 2009-02-12. Retrieved May 28, 2012.
  4. Krovetz, Ted; Rogaway, Phillip (2014). "The OCB Authenticated-Encryption Algorithm". IETF.
  5. Rogaway, Philip. "OCB - An Authenticated-Encryption Scheme - Licensing - Rogaway". www.cs.ucdavis.edu. Retrieved 31 July 2023.
  6. Phillip Rogaway. "OCB patents are abandoned; freely usable". mailarchive.ietf.org. Retrieved 2021-02-27.
  7. Phillip Rogaway. "OCB FAQ - Is OCB Patented" . Retrieved May 28, 2012.
  8. Phillip Rogaway (9 January 2013). "OCB: free licenses".
  9. Phillip Rogaway (29 March 2005). "OCB: Offer Letter" . Retrieved May 28, 2012.
  10. Niels Ferguson (2002-02-11). "Collision attacks on OCB" (PDF).
  11. Phillip Rogaway (2015-02-27). "OCB: Background".
  12. Akiko Inoue and Kazuhiko Minematsu (2018-10-26). "Cryptanalysis of OCB2".
  13. Bertram Poettering (2018-11-08). "Breaking the confidentiality of OCB2".
  14. Tetsu Iwata (2018-11-11). "Plaintext Recovery Attack of OCB2".
  15. "Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality". 2019-03-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.