Re: [Cfrg] Request For Comments: OCB Internet-Draft

Ted Krovetz <> Fri, 15 July 2011 15:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 68F9321F88D1 for <>; Fri, 15 Jul 2011 08:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.533
X-Spam-Status: No, score=-3.533 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XWXdhuej1fZg for <>; Fri, 15 Jul 2011 08:04:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C60C221F88CF for <>; Fri, 15 Jul 2011 08:04:12 -0700 (PDT)
Received: by iyb11 with SMTP id 11so1528398iyb.13 for <>; Fri, 15 Jul 2011 08:04:12 -0700 (PDT)
Received: by with SMTP id i2mr3778742icl.305.1310742252121; Fri, 15 Jul 2011 08:04:12 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id x11sm897061ibd.24.2011. (version=TLSv1/SSLv3 cipher=OTHER); Fri, 15 Jul 2011 08:04:10 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
From: Ted Krovetz <>
In-Reply-To: <>
Date: Fri, 15 Jul 2011 08:04:08 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 15:04:13 -0000

> Are there any implications for the key if a nonce is repeated?  Let's
> say I use the same nonce all the time, and the attacker can do
> known-plaintext attacks.  Can the attacker recover the key faster than
> he would be able to if the nonces were not repeated?

No. The only place the OCB key is used is as the key for AES. So, if one were able to recover OCB keys in the way you suggest, one would in effect have an AES key-extraction method. Since we don't think AES is susceptible to key-extraction, neither is OCB.

> I'm trying to get AEAD cipher modes to say more than just "the security
> properties are lost" when talking about failure modes.  "security
> properties are lost" can mean so many things, and it is useful to be
> able to rule out some unwanted side effects.

In the ID we point out that if a nonce is reused during encryption, "partial information about past plaintexts will be revealed and subsequent forgeries will be possible". That seems specific enough for an RFC, don't you think?