IETF Logo Mail Archive

[Cfrg] OCB test vectors reusing nonces

"Manger, James" <James.H.Manger@team.telstra.com> Thu, 23 January 2014 06:13 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228401A0200 for <cfrg@ietfa.amsl.com>; Wed, 22 Jan 2014 22:13:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.698
X-Spam-Level: *
X-Spam-Status: No, score=1.698 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnnNckogIkAy for <cfrg@ietfa.amsl.com>; Wed, 22 Jan 2014 22:13:46 -0800 (PST)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id B57521A0220 for <cfrg@irtf.org>; Wed, 22 Jan 2014 22:13:44 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.95,704,1384261200"; d="scan'208,217"; a="189656923"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipobvi.tcif.telstra.com.au with ESMTP; 23 Jan 2014 17:13:42 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7326"; a="188981540"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipccvi.tcif.telstra.com.au with ESMTP; 23 Jan 2014 17:13:42 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) with mapi; Thu, 23 Jan 2014 17:13:41 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 23 Jan 2014 17:13:40 +1100
Thread-Topic: OCB test vectors reusing nonces
Thread-Index: Ac8YAkKDp5Ez2yNjTXCaVhJVs/XJiw==
Message-ID: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1153850CDA3WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 06:13:49 -0000

I have implemented OCB authenticated encryption as per draft-irtf-cfrg-ocb-05.
I concur with the sample results in Appendix A.

The sample results include 16 { aad, plaintext, ciphertext} tuples, but they are all for a tag length of 128.
It would be nice to include 1 similar sample with another tag length (in addition to the final section of Appendix A that does include results for other tag lengths, but only after a more complex combination of 385 encryptions).

The first 16 samples all use the same key and nonce.
The last 9 samples involve reusing key & nonce pairs 3 times.
A crucial feature of OCB is that a key & nonce pair MUST NOT be reused.
The sample results should not violate this crucial condition.
The samples might actually be hard to run in some implementations that take strong measures to prevent nonce reuse.

I suggest using incrementing nonces for the samples:
OLD

   Each of the following (A,P,C) triples show the ciphertext C that

   results from OCB-ENCRYPT(K,N,A,P) when K and N are fixed with the

   values



   K : 000102030405060708090A0B0C0D0E0F

   N : 000102030405060708090A0B





   An empty entry indicates the empty string.



     A:

     P:

     C: 197B9C3C441D3C83EAFB2BEF633B9182



     A: 0001020304050607

     P: 0001020304050607

     C: 92B657130A74B85A16DC76A46D47E1EAD537209E8A96D14E

   ...


NEW

   Each of the following (N,A,P,C) tuples show the ciphertext C that

   results from OCB-ENCRYPT(K,N,A,P) when K is fixed with the

   value



   K : 000102030405060708090A0B0C0D0E0F





   An empty entry indicates the empty string. The nonces are incrementing.



     N: BBAA99887766554433221100

     A:

     P:

     C: 785407BFFFC8AD9EDCC5520AC9111EE6



     N: BBAA99887766554433221101

     A: 0001020304050607

     P: 0001020304050607

     C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009

   ...

OLD

   K = zeros(KEYLEN)                  // Keylength of AES in use

   C = <empty string>

   for i = 0 to 127 do

      S = zeros(8i)                   // i bytes of zeros

      N = zeros(88) || num2str(i,8)   // 11 byte zero then 1 byte i

      C = C || OCB-ENCRYPT(K,N,S,S)

      C = C || OCB-ENCRYPT(K,N,<empty string>,S)

      C = C || OCB-ENCRYPT(K,N,S,<empty string>)

   end for

   N = zeros(96)

   Output : OCB-ENCRYPT(K,N,C,<empty string>)

NEW

   K = zeros(KEYLEN)                  // Keylength of AES in use

   C = <empty string>

   for i = 0 to 127 do

      S = zeros(8i)                   // i bytes of zeros

      N = zeros(80) || num2str(i,8) || num2str(1,8)

      C = C || OCB-ENCRYPT(K,N,S,S)

      N = zeros(80) || num2str(i,8) || num2str(2,8)

      C = C || OCB-ENCRYPT(K,N,<empty string>,S)

      N = zeros(80) || num2str(i,8) || num2str(3,8)

      C = C || OCB-ENCRYPT(K,N,S,<empty string>)

   end for

   N = zeros(96)

   Output : OCB-ENCRYPT(K,N,C,<empty string>)



   ...and change the results accordingly...


Other than these tweak to the samples, the OCB spec looks great.

--
James Manger

v2.23.0 | Report a Bug | By Email