Re: [Cfrg] Request For Comments: OCB Internet-Draft

Simon Josefsson <> Fri, 15 July 2011 07:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DDC0521F8777 for <>; Fri, 15 Jul 2011 00:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.932
X-Spam-Status: No, score=-103.932 tagged_above=-999 required=5 tests=[AWL=-1.333, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1o7+Yh9OqIIy for <>; Fri, 15 Jul 2011 00:54:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A509E21F876E for <>; Fri, 15 Jul 2011 00:54:31 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6F7sOCR027704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 15 Jul 2011 09:54:26 +0200
From: Simon Josefsson <>
To: Ted Krovetz <>
References: <> <>
OpenPGP: id=B565716F; url=
Date: Fri, 15 Jul 2011 09:54:23 +0200
In-Reply-To: <> (Ted Krovetz's message of "Thu, 14 Jul 2011 17:35:13 -0700")
Message-ID: <>
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 07:54:33 -0000

Ted Krovetz <> writes:

>> It would help if you explained (in the security considerations) what
>> happens if a nonce is repeated.
> Nice suggestion. Security is lost if nonces are reused during
> encryption. We've made this clearer in the ID and have resubmitted it
> as draft-krovetz-ocb-02.

Thank you!

Are there any implications for the key if a nonce is repeated?  Let's
say I use the same nonce all the time, and the attacker can do
known-plaintext attacks.  Can the attacker recover the key faster than
he would be able to if the nonces were not repeated?

I'm trying to get AEAD cipher modes to say more than just "the security
properties are lost" when talking about failure modes.  "security
properties are lost" can mean so many things, and it is useful to be
able to rule out some unwanted side effects.