INT-RUP Security of Checksum-Based Authenticated Encryption

Abstract

Offset codebook mode (OCB) provides neither integrity under releasing unverified plaintext (INT-RUP) nor nonce-misuse resistance. The tag of OCB is generated by encrypting a plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new type of structure, called plaintext and ciphertext checksum (PCC), which is a generalization of the plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then, we fix the weakness of PCC and present another new type of structure, called intermediate checksum (IC), to generate the authentication tag. To settle the INT-RUP security of OCB in the nonce-misuse setting, we provide a modified OCB scheme based on IC, called OCB-IC. OCB-IC is proven INT-RUP secure up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). Finally, we present some discussions about OCB-IC.

Appendix: Blockcipher-based OCB-IC

To realize OCB-IC with a tweakable blockcipher \(\widetilde{E}: \mathcal {K}\times \mathcal {T}\times \{0,1\}^n\rightarrow \{0,1\}^n\), where \(\mathcal {T}=\{0,1\}^n\times \mathcal {I}\times \mathcal {J}\) is a tweak space, \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers, we use a conventional block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\) to instantiate OCB-IC[\(\widetilde{E}\)] by the XEX* construction \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\). Overloading the notation, we rewrite this scheme as OCB-IC[E].

The overview of OCB-IC[E] is depicted in Fig. 3. OCB-IC[E] is made up of three algorithms, an encryption algorithm \(\mathcal {E}_K\), a decryption algorithm \(\mathcal {D}_K\), and a verification algorithm \(\mathcal {V}_K\). The detailed description of OCB-IC[E] is shown in Fig. 4. If the underlying block cipher E is a secure strong pseudorandom permutation (SPRP), OCB-IC[E] is proven INT-RUP security up to the birthday bound in the nonce-misuse setting.

Fig. 3.

OCB-IC[E] with a block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\). This coincides with OCB-IC[\(\widetilde{E}\)], where \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\), \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers, e.g., \(\mathcal {I}=\{0,1,2,\cdots ,2^n-1\}\), and \(\mathcal {J}=\{0,1,\cdots ,10\}\). Top row: the authentication of associated data A: \(Auth=PMAC1(A)\). If the length of associated data |A| is not a positive multiple of n bits, padding \(10^*\) to A so as to \(|A10^*|\) is a positive multiple of n bits. The authentication of associated data is achieved by PMAC1 algorithm (XE construction). If there is no associated data, then we set \(Auth=0\). Bottom row: the encryption and authentication of the plaintext P (XEX construction). The plaintext is encrypted twice to produce the ciphertext and the XOR-sum of intermediate states is used to generate the tag. We require that the length of the plaintext P is a positive multiple of n bits in OCB-IC[E]. Given an arbitrary-length message \(M\in \{0,1\}^*\), it needs to be padded to the plaintext \(P=pad(M)=M10^{n-1-(|M|\ mod\ n)}\) before the encryption algorithm in OCB-IC[E]. Meanwhile, we obtain the message after the decryption algorithm by the unpadding function \(unpad(P)=M\).

Fig. 4.

OCB-IC[E] with a block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\). This coincides with OCB-IC[\(\widetilde{E}\)], where \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\), \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers, e.g., \(\mathcal {I}=\{0,1,2,\cdots ,2^n-1\}\), and \(\mathcal {J}=\{0,1,\cdots ,10\}\). The encryption algorithm \(\mathcal {E}_K\) includes the encryption of the plaintext blocks, the authentications of associated data and the plaintext. The decryption algorithm \(\mathcal {D}_K\) is straightforward similar to the encryption algorithm except no authentication of the tag at the end of the decryption process. The verification algorithm \(\mathcal {V}_K\) outputs \(\top \) if the new tag generated by the nonce-associated data-ciphertext pair is equal to the original tag, \(\bot \) otherwise.

Theorem 4

(INT-RUP Security of OCB-IC with a Block Cipher). Fix a block cipher \(E: \mathcal {K} \times \{0, 1\}^n\rightarrow \{0, 1\}^n\) and a tweakable blockcipher \(\widetilde{E}: \mathcal {K} \times \mathcal {T}\times \{0, 1\}^n\rightarrow \{0, 1\}^n\), where \(\mathcal {T}=\{0,1\}^n\times \mathcal {I}\times \mathcal {J}\) is a tweak space, \(\mathcal {I}\) is a set of tuples of large integers, and \(\mathcal {J}\) is a set of tuples of small integers. Assume \(2^i3^j\ne 1\) for all \((i,j)\in \mathcal {I}\times \mathcal {J}\). Let \(\widetilde{E}=XEX^*[E,2^\mathcal {I}3^\mathcal {J}]\), \(\mathcal {A}\) be a nonce-misusing adversary, then we have

$$\begin{aligned} Adv_{OCB-IC[E]}^{int\,-\,rup}(\mathcal {A})\le Adv_{E}^{sprp}(\mathcal {B})+39(\sigma +q)^2/2^n+q_vq/2^n, \end{aligned}$$

where a new adversary \(\mathcal {B}\) has an additional running time equal to the time needed to process the queries from \(\mathcal {A}\).

Proof Sketch: We introduce dummy masks \(\{2L,2^2L,\cdots ,2^l\cdot L,2^l\cdot 3L\}\) to rewrite OCB-IC[E] in terms of the XEX* construction, where \(L=E_K(N)\). By Lemma , OCB-IC[E] can be replaced with OCB-IC[\(\widetilde{E}\)]. Such a replacement costs us

$$\begin{aligned} \frac{9.5(2\sigma +2q)^2}{2^n}+Adv_E^{sprp}(t',2\cdot 2(\sigma +q))=\frac{38(\sigma +q)^2}{2^n}+Adv_E^{sprp}(t',4(\sigma +q)). \end{aligned}$$

Therefore, combining with Theorem 3, we can easily obtain the bound of INT-RUP on OCB-IC[E].