Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts

Tony Arcieri <> Sun, 10 March 2019 20:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28FB8127B50 for <>; Sun, 10 Mar 2019 13:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8daASuLfLmO5 for <>; Sun, 10 Mar 2019 13:58:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D5451279AA for <>; Sun, 10 Mar 2019 13:58:05 -0700 (PDT)
Received: by with SMTP id c18so2219915otl.13 for <>; Sun, 10 Mar 2019 13:58:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b/05oVhudrIJR1Bl6fNddF80sKaiBb6hl2/IBVEeirY=; b=aWCLO87OlNYtxDAHqKZRuOHtA2hEwzfS7Up9ZvG+FFLu4FSyQ0STfjO6jMW8wEO89G x6QT1ddgizjobQrWRCtzXPmCPmzpnN1mnLIyd0k1RrfDMD6zlfbEWKoLByVnLimYcir3 oW9dL5veLNH7/wxOkC4BT9guQ62QN8VCGHdFDcPW0MWB32LRVGnzxQT9ebE3cqWz9uDv bdFDunVdBAg1QejJC2B+pdzBKuS2GXGy+IVI+4gbU1FkQ0jbPhUbnK5vg8Hu1HaBnajd DtdbDGjjSgslJc0v7fWlOPUWV0+pZrr7AOdnHFMRuWdOANJ9gkIT5EH75csGsqW2HpxL chpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b/05oVhudrIJR1Bl6fNddF80sKaiBb6hl2/IBVEeirY=; b=KY3aZfHhs/dr12j8JkU4JUD58KLHcuUcxz1CIwYbPIMJjDBdU3eBlmUqi8qtxqcaCR bT5dBOWybbUQ3TCDa6nA61kg0WIalQjQJ1eebbCOGi3BnePHxi/PH5xvl3XSbEhgyFa1 I45aBhM1kkLRV3b/c2LVht61EkOH08dEIRChB7MYFUL3470gsEpJzH4JSE1SmGQlUihg kSOMmkzAzqLnUigIdfdq3EDtTTCBUB4T43kxxU0zO/AGAczi393uZ3R6A5DDM33+7gy4 IiWgKwuEwaz6q3Sg0fzPbct48XcvWIbFPEgu8EE3fzen74hiuIWgF6/2hkXgH6GR/uxt XvEA==
X-Gm-Message-State: APjAAAX3zi9PXSsBTSwBvcAvMKHj5FjmLEWnOKJvTxOirExaz/BpsGz/ Df4byF7B2kC8CjqJc7RwfHN1xy1YIXcaAE/jaUY=
X-Google-Smtp-Source: APXvYqwPjCFKm5apVlEr9f2P4s4h98rmAqKJawxlHIgScHePn2yNH8oA5MV1fj9rhsk8E7UcMO2QrV33K3hRrLfaTC0=
X-Received: by 2002:a9d:5616:: with SMTP id e22mr18834204oti.365.1552251484139; Sun, 10 Mar 2019 13:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Tony Arcieri <>
Date: Sun, 10 Mar 2019 13:57:53 -0700
Message-ID: <>
To: Benjamin Kaduk <>
Cc: Ted Krovetz <>, CFRG <>, "RFC ISE (Adrian Farrel)" <>, secdir <>
Content-Type: multipart/alternative; boundary="0000000000005076370583c3b665"
Archived-At: <>
Subject: Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Mar 2019 20:58:07 -0000

On Sun, Mar 10, 2019 at 12:10 PM Benjamin Kaduk <> wrote:

> > I would like to remind everyone that OCB is not a "new mode". It is
> specified in RFC 7253. This work generalizes the specification -- without
> changing the 128-bit block case -- to allow other block cipher block
> lengths.
> It's still a "distinct choice that a protocol designer (or user) picking a
> cipher has available to choose from", which is where the perceived downside
> of new things comes from.  My apologies for conflating the technical term
> with the generic.

I think there are significant compelling reasons to prefer OCB mode over
pretty much all other existing modes:

- Recent CAESAR winner (one of many in the portfolio, but)
- Fast anywhere AES is fast. No CLMUL required (good for embedded)
- Well-studied: IMO OCB is more likely than not be covered in
classes/textbooks on symmetric cryptography

I think the IPR concerns are the main reason it has not seen more
widespread adoption.

If you were to ask me "Is it better than AES-GCM?", my answer is yes. OCB
hits the sweet spot of being a construction which is "fast everywhere", as
opposed to the split between AES-GCM and AES-CCM we see between
desktops/servers/high-end mobile vs embedded devices.

The wide block modes are a different question. I think they're potentially
interesting in use cases I'm not particularly familiar with (e.g. mixnets).
I'm not going to be the one to champion those through the CFRG, though.

That said, the inability to use OCB mode in IETF protocols (due to IPR
concerns) is a travesty, and hopefully one we can clear up.

Tony Arcieri