Re: [Cfrg] Attacker changing the tag length in OCB
"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 04 June 2013 00:34 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D002E21F96DF for <cfrg@ietfa.amsl.com>; Mon, 3 Jun 2013 17:34:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.329
X-Spam-Level:
X-Spam-Status: No, score=0.329 tagged_above=-999 required=5 tests=[AWL=-0.629, BAYES_20=-0.74, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJectcEIkMfk for <cfrg@ietfa.amsl.com>; Mon, 3 Jun 2013 17:34:35 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id E183621E80C9 for <cfrg@irtf.org>; Mon, 3 Jun 2013 17:09:29 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.87,796,1363093200"; d="scan'208";a="139257819"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipobvi.tcif.telstra.com.au with ESMTP; 04 Jun 2013 10:08:48 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7095"; a="188420052"
Received: from wsmsg3752.srv.dir.telstra.com ([172.49.40.173]) by ipcavi.tcif.telstra.com.au with ESMTP; 04 Jun 2013 10:08:48 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3752.srv.dir.telstra.com ([172.49.40.173]) with mapi; Tue, 4 Jun 2013 10:08:47 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Phillip Rogaway <rogaway@cs.ucdavis.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Tue, 04 Jun 2013 10:08:46 +1000
Thread-Topic: [Cfrg] Attacker changing the tag length in OCB
Thread-Index: Ac5gk+pMPGebXJI8R8uJYGKaAONKOQAH+fjQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151AFAC0A7@WSMSG3153V.srv.dir.telstra.com>
References: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
In-Reply-To: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [Cfrg] Attacker changing the tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 00:35:17 -0000
Phil Rogaway said: > (1) Require the nonce N to be 120 or fewer bits (right now, > we allow up to 127 bits); > > (2) In the definition of OCB, replace the step > Nonce = zeros(127-bitlen(N)) || 1 || N > by > Nonce = taglen || zeros(120-bitlen(N)) || 1 || N > where taglen is the 7-bit binary representation of (TAGLEN mod 128) > > I think it's a good approach, designed to ensure that there's no change > to OCB when the tag length is 128 bits (which we think is the the > customary choice). And "conventional" AEAD security is trivially > maintained. > > There are arguments both for and against making such a change: > (+1) I think it does add a measure of robustness to have the > "ciphertext core" meaningfully vary with the tag length. ... > When I weigh the pluses and minuses, I'm of the opinion that it > is reasonable to go either way. Ted leans towards making > the change. Neither of us feels strongly about it. > If there is a consensus on this mailing list in favor of > the change, Ted and I will make it. I'm +1 on making this change. I would also add text saying "any given key MUST only be used with one tag length" -- since the aim of the change isn't to promote using one key with multiple tag lengths, but to add a measure of robustness even if a decryptor fails to properly enforce once-key-one-tag-length. -- James Manger
- Re: [Cfrg] Attacker changing the tag length in OCB Phillip Rogaway
- Re: [Cfrg] Attacker changing the tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing the tag length in OCB David McGrew
- Re: [Cfrg] Attacker changing the tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing the tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing the tag length in OCB Jack Lloyd
- [Cfrg] WG last call on latest OCB draft. Igoe, Kevin M.
- Re: [Cfrg] WG last call on latest OCB draft. Ted Krovetz
- Re: [Cfrg] WG last call on latest OCB draft. David Jacobson