OCB3 is a mature and provably secure authenticated encryption mode of operation which allows for associated data (AEAD). This note reports a small flaw in the security proof of OCB3 that may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has security implications that are worse than nonce-repetition as confidentiality and authenticity are lost until the key is changed. The flaw is due to an implicit condition in the security proof and to the way OCB3 processes nonces. Different ways to fix the mode are presented.

OCB3 是一种成熟且可证明安全的经过身份验证的加密操作模式，允许关联数据 (AEAD)。本说明报告了 OCB3 安全证明中的一个小缺陷，即使 OCB3 在可信且尊重随机数的模块中正确实现，它也可能在实践中导致安全性损失。当 OCB3 与短随机数一起使用时，会出现此缺陷。它具有比 nonce-repetition 更糟糕的安全隐患，因为在更改密钥之前会丢失机密性和真实性。该缺陷是由于安全证明中的隐式条件和 OCB3 处理随机数的方式造成的。介绍了修复该模式的不同方法。