8

A paper published by Niels Furguson Collision attacks on OCB indicates that processing large amounts of data (somewhere on the order of $2^{32}$ 128-bit blocks) with a single encryption operation (same key and nonce) makes it probable that an attacker could create a modified ciphertext that would generate the same tag as the original ciphertext (pass authentication) and decrypt to a different plaintext.

The probability of the necessary X collision occurring

$$(m−1)^2 2^{−128}$$

appears to be related to the block size of the cipher. A 128-bit cipher (the size originally recommended in the OCB specification) was used for all the probabilities cited in the paper.

Another surprising property observed is that using larger tag lengths increases the probability of a collision occurring.

My primary question is: does using a larger bit size cipher (say 512 bits) with a small tag size (say 64 bits) decrease the probability of this collision occurring? Furthermore, if so, does it decrease it enough that more than $2^{32}$ blocks of data can be written with less than a $2^{-64}$ chance of message forgery?

Niels advises against the widespread use of OCB. Is this the consensus throughout the cryptographic community?

Patriot
  • 3,162
  • 3
  • 20
  • 66
K3rb3ros
  • 143
  • 4

1 Answers1

3

Using a larger blocksize in a cipher will always aid in mitigating collisions.

For a practical example, take what OWASP says about key management:

If the amount of data encrypted grows beyond a certain threshold, a new key should be used. This certain threshold varies depending on the encryption algorithm used, but is typically 235 bytes (~34 gigabytes) for 64 bit block ciphers (DES, 3DES, Blowfish, RC5, ...) and 268 bytes (~ 295,147,905 terabytes) for 128 bit block ciphers (AES, TwoFish, Serpent). If encrypting with a modern cipher, this threshold is unlikely to be reached, but it should be considered when evaluating algorithms and rotation procedures.*

I think Niels' views on the use of OCB are more academic than most people who might implement such a system. The biggest reason why OCB isn't being used is because of its patent. It also didn't help that in OCBv1 it didn't allow additional authenticated data. It was later added in OCBv2, but it did hurt adoption.

To reiterate on the above, Niels presents a more academic and logical argument against the adoption of OCB, but the biggest reason why it wasn't adopted was due to the patent the author has on it.

*https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Limit_quantity_of_data_encrypted_with_one_key

Tuxxy
  • 45
  • 11