Enhancing RUP security for the OCB mode

Abstract

Authenticated encryption(AE) is the most widely used encryption, for it guarantee both integrity and confidentiality. Among oceans of AE algorithms, OCB is recognized as the best choice for its performance on platform supporting AES-NI instructions. But the problem is that the OCB is not robust, which is to say the security of OCB broke when it face complicated situation such as nonce-misuse or release of unverified plaintext. Although many new AE algorithm has been submitted to the CAESAR competition and the ongoing lightweight AEAD competition to solve these problem, their computational overhead is high. And in consideration of the fact that it is costly to change algorithm on machines which has already deployed OCB, we focus on fixing the RUP security along with nonce misuse property, with acceptable time-performance tradeoff.To solve this problem, we introduce two authenticated encryption schemes, named as OCB-RUP and nmOCB-RUP ,which combining the OCB mode with a tweakable blockcipher of variable tweakable length. We give a security proof of our schemes, and a optimized implementation using AES-NI and PLMULQDQ instructions. We give a comparison of performance between our schemes and the AES-OCB implementation in OpenSSL. Our measurement shows that OCB-RUP is only 34% slower than AES-OCB, and nmOCB-RUP, the more slower one achieve encryption under one cycle per byte. We conclude that our schemes is a practical option to enhance the OCB mode, providing RUP security and nonce misuse resistance at low cost. Both of the schemes achieve encryption at under one cycle per byte.