International Association
for Cryptologic Research

I will talk about OCB2, an authenticated encryption (AE) mode of operation proposed at 2004. It is a very popular scheme for its innovative design. The tweakable block cipher-based modular architecture of OCB2 was influenced to countless subsequent schemes. However, our paper presented at CRYPTO 2019 showed that it is completely broken with negligible amount of computation. In addition to the description of our attacks, I will tell a bit more on the story behind this break, how it started and evolved, hoping that it contributes to our understanding of practical provable security.

A tweakable block cipher (TBC) basically consists of a block cipher with an extra input, the tweak, that allows to select a family of keyed permutations. Since their first formalization by Liskov et al. at CRYPTO 2012, TCBCs have recently gained popularity as they can easily instantiate beyond birthday-bound operating modes. In particular, these modes are potentially very attractive for lightweight cryptography, where it is crucial to reach a security as high as possible for a state as small as possible. In this talk, we will review the latest advances in tweakable block ciphers. First, we will recall how to design TBCs from an existing primitive or from scratch. Then, using the example of lightweight authenticated encryption, we will study why TBCs are very competitive primitives in that scenario. Finally, we will exhibit other possible future usages of TBCs. Throughout the talk, we will try to identify several possibly interesting open research problems.