
Plaintext Recovery Attack of OCB2 [pdf] - tptacek
https://eprint.iacr.org/2018/1090.pdf
======
tptacek
This short paper extends the attack discussed here:

[https://news.ycombinator.com/item?id=18350594](https://news.ycombinator.com/item?id=18350594)

... into plaintext recovery (in the setting of the attack, which is chosen-
ciphertext). You can think of it like an OCB2-specific version of a padding
oracle.

