Re: [Cfrg] OCB test vectors reusing nonces

Matt Caswell <frodo@baggins.org> Wed, 29 January 2014 19:50 UTC

Return-Path: <frodo@baggins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F84C1A0355 for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2014 11:50:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9wsxarVgS2J for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2014 11:50:26 -0800 (PST)
Received: from ns3.dns-engine.com (ns3.dns-engine.com [87.106.189.53]) by ietfa.amsl.com (Postfix) with ESMTP id AA3441A02C7 for <cfrg@irtf.org>; Wed, 29 Jan 2014 11:50:26 -0800 (PST)
Received: from mail-ie0-f176.google.com (mail-ie0-f176.google.com [209.85.223.176]) by ns3.dns-engine.com (Postfix) with ESMTPSA id 3421A18245BB for <cfrg@irtf.org>; Wed, 29 Jan 2014 19:50:17 +0000 (GMT)
Received: by mail-ie0-f176.google.com with SMTP id tp5so2553385ieb.35 for <cfrg@irtf.org>; Wed, 29 Jan 2014 11:50:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dnrgxPXUvDC1ngQSyhQ9GBk1HfZ2LC13VSNbv49a5BQ=; b=dPRcjfvdMOVP3W9fB1Gwy8meFfsPYKkUzl/ykHRDgxxLCACG2bmQpr8dNfpGocwqeq 0A3KN3INuqZl1Jy7C5E4ivVAbCNkg94TJh3hcXXB4bx93z1dS0Gq6jVirntuzPk+xWRw aO1UvVlyWst1WdeGpbF5KjXvGEd0HYb3NJN/aSpZsmoSo21/JUCaF3K55OJG1r8yLc1u EJqHi6/dUSg1QC5eQF44IdP4HwFcWIXtuidQwHQkvV8MOGwUvnuhQ1xI0vbTsf0vS4/H NOSh8NnqiabshJIon5GeL3gqA6LxgQpCoco9Ghi+ZLE3kiaM8ACU2YvhbfYx0/ZI2k1F zG0A==
MIME-Version: 1.0
X-Received: by 10.43.0.202 with SMTP id nn10mr2830695icb.54.1391025016501; Wed, 29 Jan 2014 11:50:16 -0800 (PST)
Received: by 10.50.20.41 with HTTP; Wed, 29 Jan 2014 11:50:16 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153876A898@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com> <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net> <255B9BB34FB7D647A506DC292726F6E11538595640@WSMSG3153V.srv.dir.telstra.com> <5E4A161D-6631-4026-A432-F7C0DC200079@krovetz.net> <255B9BB34FB7D647A506DC292726F6E115386DFD48@WSMSG3153V.srv.dir.telstra.com> <CAMoSCWbdhwgrOLoCZ4PZu4xOz0D_hAS9UXiO+a=JPwiLEzn+uA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1153876A898@WSMSG3153V.srv.dir.telstra.com>
Date: Wed, 29 Jan 2014 19:50:16 +0000
Message-ID: <CAMoSCWatzTbZjOcFbNif96se8HGyNbyS-6JYVgJQS96M_PphvA@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2014 19:50:28 -0000

On 29 January 2014 01:06, Manger, James <James.H.Manger@team.telstra.com> wrote:
> One solution is to change the key for each tag length, giving 9 distinct keys for the 9 cases.
>
>    K = num2str(TAGLEN, KEYLEN)    // eg 00..0040 when TAGLEN == 64
>
> I then get:
>
>    AEAD_AES_128_OCB_TAGLEN128 Output: 67E944D23256C5E0B6C61FA22FDF1EA2
>    AEAD_AES_192_OCB_TAGLEN128 Output: F673F2C3E7174AAE7BAE986CA9F29E17
>    AEAD_AES_256_OCB_TAGLEN128 Output: D90EB8E9C977C88B79DD793D7FFA161C
>    AEAD_AES_128_OCB_TAGLEN96 Output : 77A3D8E73589158D25D01209
>    AEAD_AES_192_OCB_TAGLEN96 Output : 05D56EAD2752C86BE6932C5E
>    AEAD_AES_256_OCB_TAGLEN96 Output : 5458359AC23B0CBA9E6330DD
>    AEAD_AES_128_OCB_TAGLEN64 Output : 192C9B7BD90BA06A
>    AEAD_AES_192_OCB_TAGLEN64 Output : 0066BC6E0EF34E24
>    AEAD_AES_256_OCB_TAGLEN64 Output : 7D4EA5D445501CBE
>

I have successfully verified these.

>> Also - a more minor nit - your notation for incrementing the nonce
>> seems odd to me. The nonce is defined as a string of bytes - whereas
>> in your notation it is treated as an integer which can be incremented.
>>
>> Matt
>
> I think "N = N + 1" is more obvious than "N = num2str(3*i + 1, 96)", even if it does mix byte strings and arithmetic.

Agreed. One possibility is just to use the convention used elsewhere
in the draft and define a function for this purpose, e.g. "N =
incrementstr(N)".

Matt