Paper 2024/1527
How to Recover the Full Plaintext of XCB
Abstract
XCB, a tweakable enciphering mode, is part of IEEE Std. 1619.2 for shared storage media. We show that all versions of XCB are not secure through three plaintext recovery attacks. A key observation is that XCB behaves like an LRW1-type tweakable block cipher for single-block messages, which lacks CCA security. The first attack targets one-block XCB, using three queries to recover the plaintext. The second one requires four queries to recover the plaintext that excludes one block. The last one requires seven queries to recover the \emph{full} plaintext. The first attack applies to any scheme that follows the XCB structure, whereas the latter two attacks work on all versions of XCB, exploiting the separable property of the underlying universal hash function. To address these flaws, we propose the XCB* structure, an improved version of XCB that adds only two XOR operations. We prove that XCB* is STPRP-secure when using AXU hash functions, SPRPs, and a secure random-IV-based stream cipher.
Note: We note that the work of Bhati et. al. [3] predated and inspired this work.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- XCBTweakable enciphering modeLRW1CCA
- Contact author(s)
-
p-wang @ ucas ac cn
maoshuping19 @ mails ucas ac cn
xuruozhou21 @ mails ucas ac cn
jwjing @ ucas ac cn
wangyuewu @ ucas ac cn - History
- 2025-04-12: last of 9 revisions
- 2024-09-29: received
- See all versions
- Short URL
- https://ia.cr/2024/1527
- License
-
CC BY-NC-ND
BibTeX
@misc{cryptoeprint:2024/1527,
author = {Peng Wang and Shuping Mao and Ruozhou Xu and Jiwu Jing and Yuewu Wang},
title = {How to Recover the Full Plaintext of {XCB}},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/1527},
year = {2024},
url = {https://eprint.iacr.org/2024/1527}
}
