The INT-RUP Security of OCB with Intermediate (Parity) Checksum

OCB is neither integrity under releasing unvierified plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we fix the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modified schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a “prove-then-prune” approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations).