[Resource Topic] 2023/326: A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Welcome to the resource topic for 2023/326

Title:
A weakness in OCB3 used with short nonces allowing for a break of authenticity and confidentiality

Authors: Jean Liénardy, Frédéric Lafitte

Abstract:

OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD).
This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module.
The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonce. Different ways to fix the mode are presented.

ePrint: https://eprint.iacr.org/2023/326

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .