Improved Collision Attack on OCB
نویسنده
چکیده
In this paper we present an improvement of the collision attack [1] on the authenticated encryption mode of operation OCB. [1] presents a detection of collision method and a way to use the collision, and it is possible to use the information from a collision to change some blocks of the message unnoticed, if they have a special property. We found a way to use the information from a collision to change any future message in any position, without knowing anything about the plaintexts and the nonces. Once a collision is detected the probability of success of cheating is 1, and this part of the attack can be done by hand calculations. It must also be mentioned that our attack depends on the complexity of the detection of a collision, and this does not violate the security bounds given in [2, 3]. However once a collision is found the attack is simple and devastating.
منابع مشابه
Collision attacks on OCB
We show that collision attacks are quite effective on the OCB block cipher mode. When a collision occurs OCB loses its authentication capability. To keep adequate authentication security OCB has to be limited in the amount of data it processes. This restriction is relevant to real-life applications, and casts doubt on the wisdom of using OCB.
متن کاملCollision Attacks Against CAESAR Candidates - Forgery and Key-Recovery Against AEZ and Marble
In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction. OCB has a security proof up to 2 queries, and a matching forgery attack was described by Ferguson, where the main step of the att...
متن کاملProtecting Cipher Block Chaining Against Adaptive Chosen Plaintext Attack
In the literature, several encryption modes of operation based on cipher block chaining (CBC) has been proven to be secure under non-adaptive chosen plaintext attack (CPA-1) in the left-or-right (LOR) or find-then-guess (FTG) security models. However, it was shown by Joux et. al. at Crypto 2002 that if we allow the adversary to perform an adaptive chosen plaintext attack (CPA-2), then CBC, ABC ...
متن کاملThe INT-RUP Security of OCB with Intermediate (Parity) Checksum
OCB is neither integrity under releasing unvierified plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext c...
متن کاملImproved Collision Attack on MD4
In this paper, we propose an attack method to find collisions of MD4 hash function. This attack is the improved version of the attack which was invented by Xiaoyun Wang et al [1]. We were able to find collisions with probability almost 1, and the average complexity to find a collision is upper bounded by three times of MD4 hash operations. This result is improved compared to the original result...
متن کامل