Re: [Cfrg] OCB test vectors reusing nonces

Ted Krovetz <ted@krovetz.net> Fri, 24 January 2014 01:22 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8301A017D for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 17:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAWtIo-HN0OA for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 17:22:36 -0800 (PST)
Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by ietfa.amsl.com (Postfix) with ESMTP id 63FBC1A015F for <cfrg@irtf.org>; Thu, 23 Jan 2014 17:22:36 -0800 (PST)
Received: by mail-pd0-f174.google.com with SMTP id z10so2494677pdj.33 for <cfrg@irtf.org>; Thu, 23 Jan 2014 17:22:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=hZUteR+UUBoJBxcqqk5b4PUhTzPM2q6B9fYfjVmahLA=; b=ZBI3xPo7cK1gDVSubEl6BVmk1flx9ofx3expRb3TLsW2LDMh1Khz6WWn28tzu8QoxU m9TFpM+X88l7Yoc8yY7c/YpPFJ2ZgSsWuPP/cVMVfjY9N26vUo1speOrM2Q0X3iIJ4wg YoeYs4LIS5wxRI5yJwMqe6zsriGz568gsU2bVS2ECO+cm/aQ0+iXAdoTEj8jbhw4Rv9p 8jqkiRVIKNzf6wAbsIpG/ur0PL2HCA3qjtz7lT39bNbo7rizijVkp3sa4HPCQ2y4cMm3 JC8HM6OydRWnenejMbYVC07sZ9HBJJhRRoQx7ZaM14bD1cDSPSmYeogiZqH4nsxKR/zy lpiQ==
X-Gm-Message-State: ALoCoQkovT8QiC0zgnreN2rJAP6kroPmuVdG8G/+01rvJFgJwDlHCKU0/Z6mZAeNf+AXg6VBrWF5
X-Received: by 10.66.189.193 with SMTP id gk1mr11411262pac.105.1390526555550; Thu, 23 Jan 2014 17:22:35 -0800 (PST)
Received: from [192.168.1.100] (adsl-69-230-96-62.dsl.scrm01.pacbell.net. [69.230.96.62]) by mx.google.com with ESMTPSA id om6sm43408426pbc.43.2014.01.23.17.22.33 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Jan 2014 17:22:34 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 23 Jan 2014 17:22:32 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1827)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 01:22:38 -0000

Thanks James for verifying the vectors. 

I'm reluctant to modify the draft this substantially at this point in the process. Such a change might significantly delay its progress.

Although I agree that your selection of tests is probably better than those in the draft, I also believe that the vectors in the draft along with reference implementations is sufficient to produce a correct implementation.

-Ted

On Jan 22, 2014, at 10:13 PM, Manger, James <James.H.Manger@team.telstra.com> wrote:

> I have implemented OCB authenticated encryption as per draft-irtf-cfrg-ocb-05.
> I concur with the sample results in Appendix A.
>  
> The sample results include 16 { aad, plaintext, ciphertext} tuples, but they are all for a tag length of 128.
> It would be nice to include 1 similar sample with another tag length (in addition to the final section of Appendix A that does include results for other tag lengths, but only after a more complex combination of 385 encryptions).
>  
> The first 16 samples all use the same key and nonce.
> The last 9 samples involve reusing key & nonce pairs 3 times.
> A crucial feature of OCB is that a key & nonce pair MUST NOT be reused.
> The sample results should not violate this crucial condition.
> The samples might actually be hard to run in some implementations that take strong measures to prevent nonce reuse.
>  
> I suggest using incrementing nonces for the samples:
> OLD
>    Each of the following (A,P,C) triples show the ciphertext C that
>    results from OCB-ENCRYPT(K,N,A,P) when K and N are fixed with the
>    values
>  
>    K : 000102030405060708090A0B0C0D0E0F
>    N : 000102030405060708090A0B
>  
>  
>    An empty entry indicates the empty string.
>  
>      A:
>      P:
>      C: 197B9C3C441D3C83EAFB2BEF633B9182
>  
>      A: 0001020304050607
>      P: 0001020304050607
>      C: 92B657130A74B85A16DC76A46D47E1EAD537209E8A96D14E
>    ...
>  
> NEW
>    Each of the following (N,A,P,C) tuples show the ciphertext C that
>    results from OCB-ENCRYPT(K,N,A,P) when K is fixed with the
>    value
>  
>    K : 000102030405060708090A0B0C0D0E0F
>  
>  
>    An empty entry indicates the empty string. The nonces are incrementing.
>  
>      N: BBAA99887766554433221100
>      A:
>      P:
>      C: 785407BFFFC8AD9EDCC5520AC9111EE6
>  
>      N: BBAA99887766554433221101
>      A: 0001020304050607
>      P: 0001020304050607
>      C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009
>    ...
>  
> OLD
>    K = zeros(KEYLEN)                  // Keylength of AES in use
>    C = <empty string>
>    for i = 0 to 127 do
>       S = zeros(8i)                   // i bytes of zeros
>       N = zeros(88) || num2str(i,8)   // 11 byte zero then 1 byte i
>       C = C || OCB-ENCRYPT(K,N,S,S)
>       C = C || OCB-ENCRYPT(K,N,<empty string>,S)
>       C = C || OCB-ENCRYPT(K,N,S,<empty string>)
>    end for
>    N = zeros(96)
>    Output : OCB-ENCRYPT(K,N,C,<empty string>)
>  
> NEW
>    K = zeros(KEYLEN)                  // Keylength of AES in use
>    C = <empty string>
>    for i = 0 to 127 do
>       S = zeros(8i)                   // i bytes of zeros
>       N = zeros(80) || num2str(i,8) || num2str(1,8)
>       C = C || OCB-ENCRYPT(K,N,S,S)
>       N = zeros(80) || num2str(i,8) || num2str(2,8)
>       C = C || OCB-ENCRYPT(K,N,<empty string>,S)
>       N = zeros(80) || num2str(i,8) || num2str(3,8)
>       C = C || OCB-ENCRYPT(K,N,S,<empty string>)
>    end for
>    N = zeros(96)
>    Output : OCB-ENCRYPT(K,N,C,<empty string>)
>  
>    ...and change the results accordingly...
>  
>  
> Other than these tweak to the samples, the OCB spec looks great.
>  
> --
> James Manger
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg