Re: [Cfrg] Attacker changing the tag length in OCB
Phillip Rogaway <rogaway@cs.ucdavis.edu> Mon, 03 June 2013 19:52 UTC
Return-Path: <rogaway@cs.ucdavis.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00D221E804B for <cfrg@ietfa.amsl.com>; Mon, 3 Jun 2013 12:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.46
X-Spam-Level:
X-Spam-Status: No, score=0.46 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, J_CHICKENPOX_66=0.6, J_CHICKENPOX_71=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWZi3Y4vAhue for <cfrg@ietfa.amsl.com>; Mon, 3 Jun 2013 12:52:01 -0700 (PDT)
Received: from smtp.cs.ucdavis.edu (smtp.cs.ucdavis.edu [169.237.4.8]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFFC21F9485 for <cfrg@irtf.org>; Mon, 3 Jun 2013 12:41:45 -0700 (PDT)
X-ASG-Debug-ID: 1370288503-04dbe80e0b13800001-UHwLLG
Received: from ocb.cs.ucdavis.edu (ocb.cs.ucdavis.edu [169.237.6.151]) by smtp.cs.ucdavis.edu with ESMTP id b5Owq1prX0BiTPfl for <cfrg@irtf.org>; Mon, 03 Jun 2013 12:41:43 -0700 (PDT)
X-Barracuda-Envelope-From: rogaway@cs.ucdavis.edu
X-Barracuda-Apparent-Source-IP: 169.237.6.151
Received: from localhost (ocb.cs.ucdavis.edu [169.237.6.151]) by ocb.cs.ucdavis.edu (8.14.3/8.14.1/Debian-8ubuntu1) with ESMTP id r53Jfg5C018072 for <cfrg@irtf.org>; Mon, 3 Jun 2013 12:41:43 -0700
Date: Mon, 03 Jun 2013 12:41:42 -0700
From: Phillip Rogaway <rogaway@cs.ucdavis.edu>
To: cfrg@irtf.org
Message-ID: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
X-ASG-Orig-Subj: Re: Attacker changing the tag length in OCB
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: rogaway@[RogawaySamsung9]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Barracuda-Connect: ocb.cs.ucdavis.edu[169.237.6.151]
X-Barracuda-Start-Time: 1370288503
X-Barracuda-URL: http://169.237.4.8:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at cs.ucdavis.edu
X-Barracuda-Spam-Score: 3.38
X-Barracuda-Spam-Status: No, SCORE=3.38 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=6.0 tests=FH_DATE_PAST_20XX
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.110453 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 3.38 FH_DATE_PAST_20XX The date is grossly in the future.
Subject: Re: [Cfrg] Attacker changing the tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 19:52:16 -0000
Hi everyone, Dan Brown wrote: > can (or has) somebody formalize(d) the problem here, and > prove[] that some method actually fixes solve the problem[?] > ... > let's not tweak OCB until we're certain of why and how. To the best of my knowledge, the question that has arisen on this mailing list does not correspond to any already formalized security notion. Here's one approach to formalizing the aim. First, the syntax for for an encryption algorithm E and decryption algorithm D are augmented by a new argument, taglen. We require that |E_K(N,A,P,taglen)| = |P|+taglen. Then game defining security is adjusted to: "Real" oracle pair. Select a random key K. Encrypt(N,A,P,taglen): return E_K(N,A,P,taglen) Decrypt(N,A,C,taglen): if taglen<TAGLEN return \bot return D_K(N,A,C,taglen) "Fake" oracle pair. Encrypt(N,A,P,taglen): return |P|+taglen random bits. Decrypt(N,A,C,taglen): return \bot Queries that allow a trivial wins are disallowed. But the notion above is not without issues. First, once you countenance variable-length tags, it seems good to consider arbitrarily short ones. That's not happening above because we effectively "give up" -- the adversary wins -- on first forgery. This motivates the minimum taglen, TAGLEN, used above. Relatedly, nowhere above is captured the idea that, say, a 128-bit tag is harder to forge than a 32-bit one. These issues can be addressed, but only by major definitional changes. The immature definitional story aside, I do think there's a simple and generic approach that likely achieves what people have in mind, at least for OCB: just drop the tag length into the nonce. This generalizes what James Manger, who started this discussion, wrote. Ted has suggested to me that, in the context of OCB, we could do it like this: (1) Require the nonce N to be 120 or fewer bits (right now, we allow up to 127 bits); (2) In the definition of OCB, replace the step Nonce = zeros(127-bitlen(N)) || 1 || N by Nonce = taglen || zeros(120-bitlen(N)) || 1 || N where taglen is the 7-bit binary representation of (TAGLEN mod 128) I think it's a good approach, designed to ensure that there's no change to OCB when the tag length is 128 bits (which we think is the the customary choice). And "conventional" AEAD security is trivially maintained. There are arguments both for and against making such a change: (+1) I think it does add a measure of robustness to have the "ciphertext core" meaningfully vary with the tag length. Folding the tag length into the nonce seems like the sort of "crypto engineering" choice that has not-well-characterized value beyond what our usual definitions speak to. (+2) Algorithmically, the change is cheap and easy, and it clearly retains "conventional" AEAD security. (+3) We suspect that those using OCB are using 128-bit tags, as MOSH does. The change, as described above, wouldn't impact them. On the other hand, (-1) There are already OCB implementations that handle tags of length other than 128 bits. These would have to change. (-2) The OCB spec is quite clear that TAGLEN, like the underlying blockcipher, is a system parameter; the user has no more business letting it vary in the course of a session than he has letting the underlying blockcipher vary during a session. (-3) I worry that trying to engineer things so that one can safely use varying tag lengths with a single key might send a message that this is an OK thing to do, contradicting the spec. Someone might even think it appropriate to accept a ciphertext with _any_ provided tag length, as long as the ciphertext is deemed valid. For most contexts, that would be disastrous. (-4) As indicated above, the definitional and provable-security story that ought to accompany such a change is immature. (-5) I find it pleasant that, currently, the algorithm of the published paper and the spec are exactly the same. When I weigh the pluses and minuses, I'm of the opinion that it is reasonable to go either way. Ted leans towards making the change. Neither of us feels strongly about it. If there is a consensus on this mailing list in favor of the change, Ted and I will make it. For now, I would consider this a heuristic measure that appears to buy a tiny measure of misuse resistance, and which provably does not damage standard AE security. Rene Struik wrote: > The observation that some AEADs have the property [that ciphertexts > look like C || T where C does not depend on the tag length] ... was > brought up by Rogaway and Wagner in their 2003 "Critique on CCM" paper > (Section 3.4). It is therefore kind of interesting to see that the same > observation applies to the OCB mode. I looked back to see what David and I concluded back then -- Does the attack above mean that the tag length \tau should have been used for computing the ciphertext core C? In our opinion, the answer is: "not necessarily." Rather, the attack highlights that the specification [of CCM] has made it unclear what the goal is with respect handling a multiplicity of tag lengths. We suggest that the tag length parameter \tau should be fixed at key-negotiation time, bound securely to the key, and negotiated authentically between both parties. Once a session has begun, there should be only a single value \tau that will be accepted by the receiver, and this should remain unchanged throughout the lifetime of the session. The receiver shouldn't accept a new \tau in the middle of a session any more than it would accept a new block cipher E. I would say that the OCB spec is perfectly in line with this conclusion. Best, phil
- Re: [Cfrg] Attacker changing the tag length in OCB Phillip Rogaway
- Re: [Cfrg] Attacker changing the tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing the tag length in OCB David McGrew
- Re: [Cfrg] Attacker changing the tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing the tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing the tag length in OCB Jack Lloyd
- [Cfrg] WG last call on latest OCB draft. Igoe, Kevin M.
- Re: [Cfrg] WG last call on latest OCB draft. Ted Krovetz
- Re: [Cfrg] WG last call on latest OCB draft. David Jacobson