We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009. An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in XEX∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {XEX}}^*$$\end{document} mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2’s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. As a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary.

中文翻译：

---

OCB2的密码分析：对真实性和保密性的攻击

我们提出了对 OCB2 的实际攻击。分组密码的这种操作模式旨在提供特别高效且可证明安全的经过身份验证的加密服务，并且自大约 15 年前提出以来，它就属于该领域的佼佼者。OCB2 于 2009 年包含在 ISO 标准中。 OCB2 的内部构建块是通过在 XEX*\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{ 中操作常规分组密码而获得的可调整分组密码amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {XEX}}^*$$ \end{文档} 模式。后者仅在根据某些技术限制进行评估时才提供安全性，正如我们所指出的，并不总是受到 OCB2 的尊重。这导致对 OCB2 安全承诺的毁灭性攻击：我们开发了一系列非常实用的攻击，其中包括证明通用伪造和完整明文恢复。我们用（可证明的）修复 OCB2 的建议完成了我们的报告。作为我们调查结果的直接结果，OCB2 目前正处于从 ISO 标准中删除的过程中。我们的攻击不适用于 OCB1 和 OCB3，我们对 OCB2 的隐私攻击需要一个积极的对手。OCB2 目前正处于从 ISO 标准中删除的过程中。我们的攻击不适用于 OCB1 和 OCB3，我们对 OCB2 的隐私攻击需要一个积极的对手。OCB2 目前正处于从 ISO 标准中删除的过程中。我们的攻击不适用于 OCB1 和 OCB3，我们对 OCB2 的隐私攻击需要一个积极的对手。