Re: [Cfrg] Request For Comments: OCB Internet-Draft

Ted Krovetz <> Fri, 15 July 2011 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB4C921F8B4D for <>; Fri, 15 Jul 2011 09:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.546
X-Spam-Status: No, score=-3.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uCJD9cyQwI8v for <>; Fri, 15 Jul 2011 09:45:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 35A8D21F8B4C for <>; Fri, 15 Jul 2011 09:45:09 -0700 (PDT)
Received: by iyb11 with SMTP id 11so1628145iyb.13 for <>; Fri, 15 Jul 2011 09:45:08 -0700 (PDT)
Received: by with SMTP id eh4mr4015428icb.2.1310748308814; Fri, 15 Jul 2011 09:45:08 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id s2sm1572159icw.5.2011. (version=TLSv1/SSLv3 cipher=OTHER); Fri, 15 Jul 2011 09:45:07 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
From: Ted Krovetz <>
In-Reply-To: <>
Date: Fri, 15 Jul 2011 09:45:06 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 16:45:12 -0000

> If you know how "partial" that is, it would be useful for the draft.

> Ted, I think you can be rather more specific. 

In my opinion the point of the nonce-reuse warning is to impress upon security engineers that catastrophe strikes if a nonce is reused during encryption, and so they should make nonce reuse impossible. If nonce reuse is impossible, then it is irrelevant how bad the damage is when nonces are reused.

RFC writers need to walk a fine line: RFCs are primarily a description of technology, but should include enough high-level context to inform against poor usage. I think the current warnings on nonce reuse do this, but if you can suggest a scenario where the current advice is being heeded and yet it is still useful to know how bad not heeding it would be, I'm open to adding some quantifications.

It may be worth adding a few paragraphs to the OCB paper describing and quantifying the damage, but I'm a bit reluctant to do so in the ID.