Re: [Cfrg] Attacker changing the tag length in OCB
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Tue, 04 June 2013 18:44 UTC
Return-Path: <prvs=9867526929=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA97B21F8551 for <cfrg@ietfa.amsl.com>; Tue, 4 Jun 2013 11:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.398
X-Spam-Level:
X-Spam-Status: No, score=-5.398 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_66=0.6, J_CHICKENPOX_71=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iF9i5VpkGiy0 for <cfrg@ietfa.amsl.com>; Tue, 4 Jun 2013 11:44:02 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 5620B21F9133 for <cfrg@irtf.org>; Tue, 4 Jun 2013 11:39:52 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r54IdjeX031475; Tue, 4 Jun 2013 14:39:49 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Phillip Rogaway <rogaway@cs.ucdavis.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Tue, 04 Jun 2013 14:39:44 -0400
Thread-Topic: [Cfrg] Attacker changing the tag length in OCB
Thread-Index: Ac5hUuPYTzp3p6OkT0yANF56/CfAUg==
Message-ID: <CDD3ABA8.15D84%uri@ll.mit.edu>
In-Reply-To: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3453201584_7618489"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-06-04_07:2013-06-04, 2013-06-04, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1211240000 definitions=main-1306040178
Subject: Re: [Cfrg] Attacker changing the tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 18:44:07 -0000
I think the change you propose is good, and would enhance security & add robustness. I vote for making it, and wish such a change would/could be done to all AEAD modes with variable tag size. I don't know what to do, or how to answer your points (-3) and (-5). Tnx! -- Regards, Uri Blumenthal On 6/3/13 15:41 , "Phillip Rogaway" <rogaway@cs.ucdavis.edu> wrote: >Hi everyone, > >Dan Brown wrote: >> can (or has) somebody formalize(d) the problem here, and >> prove[] that some method actually fixes solve the problem[?] >> ... >> let's not tweak OCB until we're certain of why and how. > >To the best of my knowledge, the question that has arisen on this >mailing list does not correspond to any already formalized security >notion. Here's one approach to formalizing the aim. First, the >syntax for for an encryption algorithm E and decryption algorithm D >are augmented by a new argument, taglen. We require that >|E_K(N,A,P,taglen)| = |P|+taglen. Then game defining security >is adjusted to: > >"Real" oracle pair. Select a random key K. > Encrypt(N,A,P,taglen): return E_K(N,A,P,taglen) > Decrypt(N,A,C,taglen): if taglen<TAGLEN return \bot > return D_K(N,A,C,taglen) >"Fake" oracle pair. > Encrypt(N,A,P,taglen): return |P|+taglen random bits. > Decrypt(N,A,C,taglen): return \bot >Queries that allow a trivial wins are disallowed. > >But the notion above is not without issues. First, once you countenance >variable-length tags, it seems good to consider arbitrarily short ones. >That's not happening above because we effectively "give up" -- the >adversary >wins -- on first forgery. This motivates the minimum taglen, TAGLEN, used >above. Relatedly, nowhere above is captured the idea that, say, >a 128-bit tag is harder to forge than a 32-bit one. These issues can >be addressed, but only by major definitional changes. > >The immature definitional story aside, I do think there's a simple and >generic approach that likely achieves what people have in mind, at least >for OCB: just drop the tag length into the nonce. This generalizes what >James Manger, who started this discussion, wrote. Ted has suggested >to me that, in the context of OCB, we could do it like this: > > (1) Require the nonce N to be 120 or fewer bits (right now, > we allow up to 127 bits); > > (2) In the definition of OCB, replace the step > Nonce = zeros(127-bitlen(N)) || 1 || N > by > Nonce = taglen || zeros(120-bitlen(N)) || 1 || N > where taglen is the 7-bit binary representation of (TAGLEN mod >128) > >I think it's a good approach, designed to ensure that there's no change >to OCB when the tag length is 128 bits (which we think is the the >customary choice). And "conventional" AEAD security is trivially >maintained. > >There are arguments both for and against making such a change: >(+1) I think it does add a measure of robustness to have the >"ciphertext core" meaningfully vary with the tag length. Folding the >tag length into the nonce seems like the sort of "crypto engineering" >choice that has not-well-characterized value beyond what our usual >definitions speak to. >(+2) Algorithmically, the change is cheap and easy, and it clearly >retains "conventional" AEAD security. >(+3) We suspect that those using OCB are using 128-bit tags, as >MOSH does. The change, as described above, wouldn't impact them. >On the other hand, >(-1) There are already OCB implementations that handle tags >of length other than 128 bits. These would have to change. >(-2) The OCB spec is quite clear that TAGLEN, like the >underlying blockcipher, is a system parameter; the user has >no more business letting it vary in the course of a session >than he has letting the underlying blockcipher vary during a session. >(-3) I worry that trying to engineer things so that one can safely >use varying tag lengths with a single key might send a message that >this is an OK thing to do, contradicting the spec. Someone might >even think it appropriate to accept a ciphertext with _any_ provided >tag length, as long as the ciphertext is deemed valid. For most >contexts, that would be disastrous. >(-4) As indicated above, the definitional and provable-security >story that ought to accompany such a change is immature. >(-5) I find it pleasant that, currently, the algorithm of the >published paper and the spec are exactly the same. > >When I weigh the pluses and minuses, I'm of the opinion that it >is reasonable to go either way. Ted leans towards making >the change. Neither of us feels strongly about it. >If there is a consensus on this mailing list in favor of >the change, Ted and I will make it. For now, I would >consider this a heuristic measure that appears to buy a >tiny measure of misuse resistance, and which provably >does not damage standard AE security. > >Rene Struik wrote: >> The observation that some AEADs have the property [that ciphertexts >> look like C || T where C does not depend on the tag length] ... was >> brought up by Rogaway and Wagner in their 2003 "Critique on CCM" paper >> (Section 3.4). It is therefore kind of interesting to see that the same >> observation applies to the OCB mode. > >I looked back to see what David and I concluded back then -- > > Does the attack above mean that the tag length \tau should have been >used for > computing the ciphertext core C? In our opinion, the answer is: "not >necessarily." > Rather, the attack highlights that the specification [of CCM] has made >it unclear > what the goal is with respect handling a multiplicity of tag lengths. > We suggest that the tag length parameter \tau should be fixed at >key-negotiation time, > bound securely to the key, and negotiated authentically between both >parties. Once a > session has begun, there should be only a single value \tau that will >be accepted > by the receiver, and this should remain unchanged throughout the >lifetime of the > session. The receiver shouldn't accept a new \tau in the middle of a >session > any more than it would accept a new block cipher E. > >I would say that the OCB spec is perfectly in line with this conclusion. > > > >Best, >phil >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Attacker changing the tag length in OCB Phillip Rogaway
- Re: [Cfrg] Attacker changing the tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing the tag length in OCB David McGrew
- Re: [Cfrg] Attacker changing the tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing the tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing the tag length in OCB Jack Lloyd
- [Cfrg] WG last call on latest OCB draft. Igoe, Kevin M.
- Re: [Cfrg] WG last call on latest OCB draft. Ted Krovetz
- Re: [Cfrg] WG last call on latest OCB draft. David Jacobson