OCB 和 GCM 安全性

OCB 是否與 GCM 或 CCM 一樣安全？

由於 OCB 設計與 GCM 和 CCM 完全不同，我想知道 OCB 是否也滿足後者的安全屬性。

如果您查看 CAESAR 的 OCB 送出，您會看到設計人員聲明安全性與 GCM 的安全性相似。但是，我會注意到 GCM 已被證明具有弱鍵類，例如：

• https://eprint.iacr.org/2013/144.pdf
• https://eprint.iacr.org/2011/202.pdf
• http://www.ecrypt.eu.org/hash2011/proceedings/hash2011_03.pdf
• https://about.bozhu.me/paper/lgcm.pdf

我在一本書（Serious Cryptography）中找到了以下解釋

OCB is a bit less fragile than GCM against repeated nonces. For example,
if a nonce is used twice, an attacker that sees the two ciphertexts will
notice that, say, the third plaintext block of the first message is identical
to the third plaintext block of the second message. With GCM, attackers
can find not only duplicates but also XOR differences between blocks at
the same position. The impact of repeated nonces is therefore worse with
GCM than it is with OCB.
As with GCM, repeated nonces can break the authenticity of OCB,
though less effectively. For example, an attacker could combine blocks
from two messages authenticated with OCB to create another encrypted
message with the same checksum and tag as one of the original two
messages, but the attacker would not be able to recover a secret key as
with GCM.

http://index-of.es/Varios-2/Serious%20Cryptography%20A%20Practical%20Introduction%20to%20Modern%20Encryption%20(2).pdf

引用自：https://crypto.stackexchange.com/questions/18821