IETF Logo Mail Archive

Re: [Cfrg] OCB test vectors reusing nonces

"Manger, James" <James.H.Manger@team.telstra.com> Fri, 24 January 2014 05:54 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3681A0199 for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 21:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.697
X-Spam-Level: *
X-Spam-Status: No, score=1.697 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1Jx0s94fjbX for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 21:54:29 -0800 (PST)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id 8B3451A00F1 for <cfrg@irtf.org>; Thu, 23 Jan 2014 21:54:27 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.95,711,1384261200"; d="scan'208";a="179442044"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipoavi.tcif.telstra.com.au with ESMTP; 24 Jan 2014 16:54:25 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7327"; a="188237562"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcdvi.tcif.telstra.com.au with ESMTP; 24 Jan 2014 16:54:25 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Fri, 24 Jan 2014 16:54:24 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Ted Krovetz <ted@krovetz.net>
Date: Fri, 24 Jan 2014 16:54:23 +1100
Thread-Topic: [Cfrg] OCB test vectors reusing nonces
Thread-Index: Ac8YosWBUvEhiwKxQyeedG+o8M+O6wAHW9Dw
Message-ID: <255B9BB34FB7D647A506DC292726F6E11538595640@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com> <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net>
In-Reply-To: <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 05:54:31 -0000

> From: Ted Krovetz [mailto:ted@krovetz.net]
> 
> Thanks James for verifying the vectors.
> 
> I'm reluctant to modify the draft this substantially at this point in
> the process. Such a change might significantly delay its progress.
> 
> Although I agree that your selection of tests is probably better than
> those in the draft, I also believe that the vectors in the draft along
> with reference implementations is sufficient to produce a correct
> implementation.


8 of the ciphertexts in appendix A start identically (BEA5E8798DB...) and 2 others start identically (92B657130A7...).
This does not look good. It causes confusion.
That is exactly the sort of behaviour that is supposed to be prevented by the provable security OCB enjoys.

OCB has a nice design feature that allows the AES operation applied to the nonce to be avoided 63 out of 64 times, if using incrementing nonces.
It is far more likely that this design feature will be tested if appendix A uses incrementing nonces (particularly for the 385 operations in each of the last tests).

For the above two reasons I think it would be worth updating the test vectors, despite some risk of causing a slight delay. Surely the draft doesn’t have to repeat much of the vetting process if only sample results change. I am willing to confirm new test vectors quickly.


Earlier I suggested nonces such as:
  N = zeros(80) || num2str(i,8) || num2str(1,8) 
  N = zeros(80) || num2str(i,8) || num2str(2,8) 
  N = zeros(80) || num2str(i,8) || num2str(3,8) 

If you do make a change, it would be even better for the nonces to be:
  N = num2str(3*i+1,96)
  N = num2str(3*i+2,96)
  N = num2str(3*i+3,96)

Or phrase it as:
  N = zeros(96)      // incremented before each use
  for i = 0 to 127 do
     S = zeros(8i)                   // i bytes of zeros
     N = N + 1
     C = C || OCB-ENCRYPT(K,N,S,S)
     N = N + 1
     C = C || OCB-ENCRYPT(K,N,<empty string>,S)
     N = N + 1
     C = C || OCB-ENCRYPT(K,N,S,<empty string>)
  end for
  N = N + 1          // 00...0181 after 385 increments
  Output : OCB-ENCRYPT(K,N,C,<empty string>)

--
James Manger



> On Jan 22, 2014, at 10:13 PM, Manger, James
> <James.H.Manger@team.telstra.com> wrote:
> 
> > I have implemented OCB authenticated encryption as per draft-irtf-
> cfrg-ocb-05.
> > I concur with the sample results in Appendix A.
> >
> > The sample results include 16 { aad, plaintext, ciphertext} tuples,
> but they are all for a tag length of 128.
> > It would be nice to include 1 similar sample with another tag length
> (in addition to the final section of Appendix A that does include
> results for other tag lengths, but only after a more complex
> combination of 385 encryptions).
> >
> > The first 16 samples all use the same key and nonce.
> > The last 9 samples involve reusing key & nonce pairs 3 times.
> > A crucial feature of OCB is that a key & nonce pair MUST NOT be
> reused.
> > The sample results should not violate this crucial condition.
> > The samples might actually be hard to run in some implementations
> that take strong measures to prevent nonce reuse.
> >
> > I suggest using incrementing nonces for the samples:
> > OLD
> >    Each of the following (A,P,C) triples show the ciphertext C that
> >    results from OCB-ENCRYPT(K,N,A,P) when K and N are fixed with the
> >    values
> >
> >    K : 000102030405060708090A0B0C0D0E0F
> >    N : 000102030405060708090A0B
> >
> >
> >    An empty entry indicates the empty string.
> >
> >      A:
> >      P:
> >      C: 197B9C3C441D3C83EAFB2BEF633B9182
> >
> >      A: 0001020304050607
> >      P: 0001020304050607
> >      C: 92B657130A74B85A16DC76A46D47E1EAD537209E8A96D14E
> >    ...
> >
> > NEW
> >    Each of the following (N,A,P,C) tuples show the ciphertext C that
> >    results from OCB-ENCRYPT(K,N,A,P) when K is fixed with the
> >    value
> >
> >    K : 000102030405060708090A0B0C0D0E0F
> >
> >
> >    An empty entry indicates the empty string. The nonces are
> incrementing.
> >
> >      N: BBAA99887766554433221100
> >      A:
> >      P:
> >      C: 785407BFFFC8AD9EDCC5520AC9111EE6
> >
> >      N: BBAA99887766554433221101
> >      A: 0001020304050607
> >      P: 0001020304050607
> >      C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009
> >    ...
> >
> > OLD
> >    K = zeros(KEYLEN)                  // Keylength of AES in use
> >    C = <empty string>
> >    for i = 0 to 127 do
> >       S = zeros(8i)                   // i bytes of zeros
> >       N = zeros(88) || num2str(i,8)   // 11 byte zero then 1 byte i
> >       C = C || OCB-ENCRYPT(K,N,S,S)
> >       C = C || OCB-ENCRYPT(K,N,<empty string>,S)
> >       C = C || OCB-ENCRYPT(K,N,S,<empty string>)
> >    end for
> >    N = zeros(96)
> >    Output : OCB-ENCRYPT(K,N,C,<empty string>)
> >
> > NEW
> >    K = zeros(KEYLEN)                  // Keylength of AES in use
> >    C = <empty string>
> >    for i = 0 to 127 do
> >       S = zeros(8i)                   // i bytes of zeros
> >       N = zeros(80) || num2str(i,8) || num2str(1,8)
> >       C = C || OCB-ENCRYPT(K,N,S,S)
> >       N = zeros(80) || num2str(i,8) || num2str(2,8)
> >       C = C || OCB-ENCRYPT(K,N,<empty string>,S)
> >       N = zeros(80) || num2str(i,8) || num2str(3,8)
> >       C = C || OCB-ENCRYPT(K,N,S,<empty string>)
> >    end for
> >    N = zeros(96)
> >    Output : OCB-ENCRYPT(K,N,C,<empty string>)
> >
> >    ...and change the results accordingly...
> >
> >
> > Other than these tweak to the samples, the OCB spec looks great.
> >
> > --
> > James Manger

v2.23.0 | Report a Bug | By Email