Provable-Security
OCB 和 GCM 安全性
OCB 是否與 GCM 或 CCM 一樣安全?
由於 OCB 設計與 GCM 和 CCM 完全不同,我想知道 OCB 是否也滿足後者的安全屬性。
如果您查看 CAESAR 的 OCB 送出,您會看到設計人員聲明安全性與 GCM 的安全性相似。但是,我會注意到 GCM 已被證明具有弱鍵類,例如:
我在一本書(Serious Cryptography)中找到了以下解釋
OCB is a bit less fragile than GCM against repeated nonces. For example, if a nonce is used twice, an attacker that sees the two ciphertexts will notice that, say, the third plaintext block of the first message is identical to the third plaintext block of the second message. With GCM, attackers can find not only duplicates but also XOR differences between blocks at the same position. The impact of repeated nonces is therefore worse with GCM than it is with OCB. As with GCM, repeated nonces can break the authenticity of OCB, though less effectively. For example, an attacker could combine blocks from two messages authenticated with OCB to create another encrypted message with the same checksum and tag as one of the original two messages, but the attacker would not be able to recover a secret key as with GCM.