Re: [Cfrg] OCB test vectors reusing nonces
Ted Krovetz <ted@krovetz.net> Fri, 24 January 2014 01:22 UTC
Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8301A017D for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 17:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAWtIo-HN0OA for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 17:22:36 -0800 (PST)
Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by ietfa.amsl.com (Postfix) with ESMTP id 63FBC1A015F for <cfrg@irtf.org>; Thu, 23 Jan 2014 17:22:36 -0800 (PST)
Received: by mail-pd0-f174.google.com with SMTP id z10so2494677pdj.33 for <cfrg@irtf.org>; Thu, 23 Jan 2014 17:22:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=hZUteR+UUBoJBxcqqk5b4PUhTzPM2q6B9fYfjVmahLA=; b=ZBI3xPo7cK1gDVSubEl6BVmk1flx9ofx3expRb3TLsW2LDMh1Khz6WWn28tzu8QoxU m9TFpM+X88l7Yoc8yY7c/YpPFJ2ZgSsWuPP/cVMVfjY9N26vUo1speOrM2Q0X3iIJ4wg YoeYs4LIS5wxRI5yJwMqe6zsriGz568gsU2bVS2ECO+cm/aQ0+iXAdoTEj8jbhw4Rv9p 8jqkiRVIKNzf6wAbsIpG/ur0PL2HCA3qjtz7lT39bNbo7rizijVkp3sa4HPCQ2y4cMm3 JC8HM6OydRWnenejMbYVC07sZ9HBJJhRRoQx7ZaM14bD1cDSPSmYeogiZqH4nsxKR/zy lpiQ==
X-Gm-Message-State: ALoCoQkovT8QiC0zgnreN2rJAP6kroPmuVdG8G/+01rvJFgJwDlHCKU0/Z6mZAeNf+AXg6VBrWF5
X-Received: by 10.66.189.193 with SMTP id gk1mr11411262pac.105.1390526555550; Thu, 23 Jan 2014 17:22:35 -0800 (PST)
Received: from [192.168.1.100] (adsl-69-230-96-62.dsl.scrm01.pacbell.net. [69.230.96.62]) by mx.google.com with ESMTPSA id om6sm43408426pbc.43.2014.01.23.17.22.33 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Jan 2014 17:22:34 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 23 Jan 2014 17:22:32 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1827)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 01:22:38 -0000
Thanks James for verifying the vectors. I'm reluctant to modify the draft this substantially at this point in the process. Such a change might significantly delay its progress. Although I agree that your selection of tests is probably better than those in the draft, I also believe that the vectors in the draft along with reference implementations is sufficient to produce a correct implementation. -Ted On Jan 22, 2014, at 10:13 PM, Manger, James <James.H.Manger@team.telstra.com> wrote: > I have implemented OCB authenticated encryption as per draft-irtf-cfrg-ocb-05. > I concur with the sample results in Appendix A. > > The sample results include 16 { aad, plaintext, ciphertext} tuples, but they are all for a tag length of 128. > It would be nice to include 1 similar sample with another tag length (in addition to the final section of Appendix A that does include results for other tag lengths, but only after a more complex combination of 385 encryptions). > > The first 16 samples all use the same key and nonce. > The last 9 samples involve reusing key & nonce pairs 3 times. > A crucial feature of OCB is that a key & nonce pair MUST NOT be reused. > The sample results should not violate this crucial condition. > The samples might actually be hard to run in some implementations that take strong measures to prevent nonce reuse. > > I suggest using incrementing nonces for the samples: > OLD > Each of the following (A,P,C) triples show the ciphertext C that > results from OCB-ENCRYPT(K,N,A,P) when K and N are fixed with the > values > > K : 000102030405060708090A0B0C0D0E0F > N : 000102030405060708090A0B > > > An empty entry indicates the empty string. > > A: > P: > C: 197B9C3C441D3C83EAFB2BEF633B9182 > > A: 0001020304050607 > P: 0001020304050607 > C: 92B657130A74B85A16DC76A46D47E1EAD537209E8A96D14E > ... > > NEW > Each of the following (N,A,P,C) tuples show the ciphertext C that > results from OCB-ENCRYPT(K,N,A,P) when K is fixed with the > value > > K : 000102030405060708090A0B0C0D0E0F > > > An empty entry indicates the empty string. The nonces are incrementing. > > N: BBAA99887766554433221100 > A: > P: > C: 785407BFFFC8AD9EDCC5520AC9111EE6 > > N: BBAA99887766554433221101 > A: 0001020304050607 > P: 0001020304050607 > C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009 > ... > > OLD > K = zeros(KEYLEN) // Keylength of AES in use > C = <empty string> > for i = 0 to 127 do > S = zeros(8i) // i bytes of zeros > N = zeros(88) || num2str(i,8) // 11 byte zero then 1 byte i > C = C || OCB-ENCRYPT(K,N,S,S) > C = C || OCB-ENCRYPT(K,N,<empty string>,S) > C = C || OCB-ENCRYPT(K,N,S,<empty string>) > end for > N = zeros(96) > Output : OCB-ENCRYPT(K,N,C,<empty string>) > > NEW > K = zeros(KEYLEN) // Keylength of AES in use > C = <empty string> > for i = 0 to 127 do > S = zeros(8i) // i bytes of zeros > N = zeros(80) || num2str(i,8) || num2str(1,8) > C = C || OCB-ENCRYPT(K,N,S,S) > N = zeros(80) || num2str(i,8) || num2str(2,8) > C = C || OCB-ENCRYPT(K,N,<empty string>,S) > N = zeros(80) || num2str(i,8) || num2str(3,8) > C = C || OCB-ENCRYPT(K,N,S,<empty string>) > end for > N = zeros(96) > Output : OCB-ENCRYPT(K,N,C,<empty string>) > > ...and change the results accordingly... > > > Other than these tweak to the samples, the OCB spec looks great. > > -- > James Manger > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] OCB test vectors reusing nonces Manger, James
- Re: [Cfrg] OCB test vectors reusing nonces Matt Caswell
- Re: [Cfrg] OCB test vectors reusing nonces Ted Krovetz
- Re: [Cfrg] OCB test vectors reusing nonces Manger, James
- Re: [Cfrg] OCB test vectors reusing nonces Ted Krovetz
- Re: [Cfrg] OCB test vectors reusing nonces David McGrew
- Re: [Cfrg] OCB test vectors reusing nonces Stephen Farrell
- Re: [Cfrg] OCB test vectors reusing nonces Manger, James
- Re: [Cfrg] OCB test vectors reusing nonces Matt Caswell
- Re: [Cfrg] OCB test vectors reusing nonces Manger, James
- Re: [Cfrg] OCB test vectors reusing nonces Matt Caswell
- Re: [Cfrg] OCB test vectors reusing nonces Ted Krovetz
- Re: [Cfrg] OCB test vectors reusing nonces Peter Dettman