OCB:%20A%20Bock-Cipher%20Mode%20of%20Operation%20for%20Efficient%20Authenticated%20Encryption

1
OCB A Bock-Cipher Mode of Operation for
Efficient Authenticated Encryption
Phillip Rogaway
UC Davis
This work done at Chiang Mai University
rogaway_at_cs.ucdavis.edu http//www.cs.ucdavis.edu/
rogaway
Mihir Bellare
John Black
Ted Krovetz
UC San Diego
University of Nevada
UC Davis
MIT - November 9, 2001
2
Principal Goals of Symmetric Cryptography
Privacy What the Adversary sees tells her
nothing of significance about the
underlying message M that the Sender
sent Authenticity The Receiver is sure that the
string he receives was sent (in
exactly this form) by the Sender Authenticated
Encryption Achieves both privacy and
authenticity
3
Why Authenticated Encryption?

• Efficiency
• By merging privacy and authenticity one
  can achieve
• efficiency difficult to achieve if
  handling them separately.
• Easier-to-correctly-use abstraction
• By delivering strong security properties
  one may
• minimize encryption-scheme misuse.

4
Easier to correctly use because stronger
security properties
Idealized encryption
Authenticated encryption IND-CPA auth
of ciphertexts
OCB
Bellare, Rogaway Katz,Yung
IND-CCA NM-CCA
Bellare, Namprempre
IND-CPA
CTR, CBC
Goldwasser, Micali Bellare, Desai, Jokipii,
Rogaway
ECB
5
Right or Wrong?
It depends on what definition E satisfies
K
K
A . RA
B
A
EK (A . B . RA . RB . sk)
EK (RB)
6
Generic Composition
Folklore approach. See Bellare, Namprempre and
Krawczyk for analysis.
Traditional approach to authenticated encryption
Glue together an encryption scheme ( E )
and a message authentication code (MAC)
Preferred way to do generic composition
7
Generic Composition

• Versatile, clean approach
• Reduces design work
• Quick rejection of forged messages if use
  optimized MAC
• (eg., UMAC)
• Inherits the characteristics of the modes one
  builds from
• Cost (cost to encrypt) (cost to MAC)
• For CBC Enc CBC MAC, cost 2 (cost
  to CBC Enc)
• - Often done wrong
• Two keys
• Inherits characteristics of the modes one builds
  from

8
Trying to do Better

• Numerous attempts to make privacy authenticity
  cheaper.
• One approach stick with generic composition,
  but find cheaper
• encryption schemes or MACs.
• Make authenticity an incidental adjunct to
  privacy within a
• conventional-looking mode
• CBC-with-various-checksums (wrong)
• PCBC in Kerberos
  (wrong)
• PCBC of Gligor, Donescu 99 (wrong)
• Jutla 00 First correct
  solution
• Jutla described two modes, IACBC and IAPM.
• A lovely start, but many improvements possible.
• OCB inspired by IAPM, but many new
  characteristics.

9
Additional Related Work

• Haleviimproved on Jutlas IAPM proof and
• helped to clarify what was going on in the
  scheme.
• Gligor, DonescuProposed IACBC-like scheme,
• using mod 2n addition.

10
What is OCB?

• Authenticated-encryption scheme
• Uses any block cipher (eg. AES)
• Computational cost cost of CBC
• OCB-AES good in SW or HW
• Lots of nice characteristics designed in
• Uses é M / n ù 2 block-cipher calls
• Uses any nonce (neednt be unpredictable)
• Works on messages of any length
• Creates minimum-length ciphertext
• Uses a single block-cipher key, each
  block-cipher keyed with it
• Quick key setup suitable for single-message
  sessions
• Essentially endian-neutral
• Fully parallelizable
• No n-bit additions
• Provably secure if you break OCB-AES youve
  broken AES
• In IEEE 802.11 draft standard (wireless LANs)

11

Checksum M1 Å M2 Å Å Mm-1 Å Cm0 Å
Pad
L EK(0)
12
Gray-Code Trick
Instead of forming L, 2L, 3L, 4L, (in
GF(2n)) we form L,
3L, 2L, 6L,
i g(i) ntz(i) 2ntz(i) g(i-1) Å 2ntz(i)
dec 0 0000 1 0001 0 0001
0001 1 2 0011 1 0010
0011 3 3 0010 0 0001
0010 2 4 0110 2 0100
0110 6 5 0111 0 0001
0111 7 6 0101 1 0010
0101 5 7 0100 0 0001
0100 4 8 1100 3 1000
1100 12
In this way, the ith point in the sequence is
formed by xoring the prior one with 2ntz(i) L.
The values L(i)2ntz(i) L can be
precomputed. (But Schroeppel points out that one
can also do this with L, 2L, 3L, by
using different L(i) values.)
13
Pseudocode of OCBE, t
algorithm OCB-Encrypt K (Nonce, M) L(0) EK
(0) L(-1) lsb(L(0))? (L(0) gtgt 1) Å Const43
(L(0) gtgt1) for i 1, 2, do L(i)
msb(L(i-1))? (L(i-1) ltlt 1) Å Const87 (L(i-1)
ltlt1) Partition M into M1 ... Mm // each
n bits, except Mm may be shorter Offset EK
(Nonce Å L(0)) for i1 to m-1 do
Offset Offset Å L(ntz(i)) Ci EK
(Mi Å Offset) Å Offset Offset Offset Å
L(ntz(m)) Pad EK (len(Mm) Å Offset Å
L(-1)) Cm Mm Å (first Mm bits of
Pad) Checksum M1 Å ... Å Mm-1 Å Cm0 Å
Pad Tag first t bits of EK(Checksum Å
Offset) return C1 ... Cm Tag
14
Wrong variant 1

Eliminate post-whitening
15
Wrong variant 2
Checksum M1 Å M2 Å Å Mm-1 Å Mm0 Å
Pad
16
Wrong variant 3
17
Assurance via Provable Security

• Provable security begins with Goldwasser,
  Micali 82
• Despite the name, one doesnt really prove
  security
• Instead, one gives reductions theorems of the
  form
• If a certain primitive is secure
• then the scheme based on it is secure.
• Eg
• If AES is a secure block cipher
• then OCB-AES is a secure authenticated-encry
  ption scheme.
• Equivalently
• If some adversary A does a good job at
  breaking OCB-AES
• then some comparably efficient B does a
  good job to break AES.
• Actual theorems quantitative they measure how
  much security is
• lost across the reduction.

18
(Provable security symmetric/asymmetric)
w
19
Privacy
IND-CPA Indistinguishability from Random Bits
Goldwasser, Micali Bellare, Desai, Jokipii,
Rogaway
Noncei Mi
Rand bits oracle
Real EK oracle
Noncei Mi
A
Mi t
EK ( Noncei , Mi )
Advpriv (A) PrAReal 1 PrARand 1
20
Authenticity
Authenticty of Ciphertexts
Bellare, Rogaway Katz, Yung this paper

• Adversary A forges if she
• outputs Nonce C s.t.
• C is valid (it decrypts to a
• message, not to invalid)
• there was no earlier query
• Nonce Mi that returned C

Real EK oracle
Noncei Mi
A
EK (Noncei , Mi )
Advauth (A) PrA forges
Nonce C
21
Block-Cipher Security
PRP and Strong PRP
Goldreich, Goldwasser, Micali Luby,
Rackoff Bellare, Kilian, Rogaway
xi
Rand perm oracle p
Real EK oracle
xi
B
p (xi)
EK (xi)
Advprp (B) PrBEK 1 PrBp 1
Advsprp (B) PrBEK EK-1 1 PrBp p-1 1
22
OCB Theorems
Privacy theorem
Suppose an adversary A that distinguishes
OCBE,t in time t total-num-of-blocks
s adv Advpriv (A)
Then an adversary B that breaks block cipher E
with time t num-of-queries s Advprp
(B) Advpriv(A) 1.5 s2 / 2n
Authenticity theorem
Then an adversary B that breaks block cipher E
with time t num-of-queries s Advsprp
(B) Advauth(A) 1.5s2/2n 2-t
Suppose an adversary A that forges OCBE,t
with time t total-num-of-blocks s adv
Advauth (A)
23
Proof Idea

• As usual, focus on the information-theoretic
  setting OCBPerm(n),t
• Privacy reasonably clear. Every nonce gives a
  random
• R, and then we pre-whiten with LR, 2LR,
  3LR, , giving
• X1 M1 L R, X2 M2 2L R,
  X3 M3 3L R
• With high probability, none of these Xi
  values repeat.
• Authenticity much more difficult. Suppose
  forge using
• nonce N,
  ciphertext C1Cc
• Case 1 no earlier (N, )
• Case 2 earlier (N, C1Cm) with m¹c
• Case 3 earlier (N, C1Cc ) and
• Ci ¹ Ci for some i lt c
• Case 4 earlier (N, C1Cc) and
• Ci Ci for all i lt c and
  Cc Cc
• Case 5 earlier (N, C1Cc) and
• Ci Ci for all i lt c and
  Cc ¹ Cc

24
(No Transcript)
25
Structure Lemma
If A makes q queries of aggregate length s blocks
then forges a c-block message,
AdvOCBPerm(n),t (A) max
m1,,mq
sum to
s S Mcoll ( mi ) S MMcoll ( mi, mj
) S CMcoll (c,mi )
(s2q5c11)2 1
auth
i
iltj

i
2n1
2t
26
Mcoll, MMcoll, CMcoll (informally)
Mcoll (m) Choose a string N M1 Mm S .
Choose L, R 0,1n . Whats the chance of a
collision when you form all the induced Xi
values (including 0, NL)?
MMcoll (m, m) Choose strings
N M1Mm S and N M1Mm S, choose L,
R, R 0,1n. Whats the chance that one of
the Xi values associated to the first
message is the same as an Xj value associated
to the second? CMcoll (c, m) Choose strings N
M1Mm C1Cm and N C1 Cc.
Choose all random values needed to define
Xc1the value that EK determines the tag
from. Whats the chance that Xc1 collides
with another Xi, Xj?
27
What the structure lemma does for us

• Eliminates adaptivity as an issue.
• Lets us focus on pairs of messages instead of
  all q messages.
• Lets us calculate, carry out case analysis.

Proving the structure lemma

• Uses the game substitution approach (as in
  KR).
• Six games are used, slowly blending.

28
Assembly Speed
Data from Helger Lipmaa www.tcs.hut.fi/helger
helger_at_tcs.hut.fi
// Best Pentium AES code known.
OCB-AES 16.9 cpb (271
cycles) CBC-AES 15.9 cpb
(255 cycles) ECB-AES 14.9 cpb
(239 cycles) CBCMAC-AES 15.5 cpb
(248 cycles)
6.5 slower
1 Kbyte messagespure Pentium 3
assemblyAES128. Overhead so small that AES with
a C-code CBC wrapper is slightly more expensive
than AES with an assembly OCB wrapper.
C Speed
Data from Ted Krovetz. Compiler is MS VC.
Uses rijndael-alg-fst.c ref code.
OCB-AES 28.1 cpb (449
cycles) CBCMAC-AES 26.8 cpb (428
cycles)
4.9 slower
29
Why I like OCB

• Ease-of-correct-use. Reasons all-in-one
  approach any type of
• nonce parameterization limited to block cipher
  and tag length
• Aggressively optimized optimal in many
  dimensions
• key length, ciphertext length, key setup
  time, encryption time,
• decryption time, available parallelism SW
  characteristics
• HW characteristics
• Simple but non-obvious
• Ideal setting for practice-oriented provable
  security

For More Information

• OCB web page www.cs.ucdavis.edu/rogaway
• Contains FAQ, papers, reference code, ...