Re: [Cfrg] Request For Comments: OCB Internet-Draft

Ted Krovetz <ted@krovetz.net> Fri, 15 July 2011 22:08 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB7921F8B9C for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2011 15:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.555
X-Spam-Level:
X-Spam-Status: No, score=-3.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Difm7S1R7cd for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2011 15:08:08 -0700 (PDT)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id 0F3CC21F8B99 for <cfrg@irtf.org>; Fri, 15 Jul 2011 15:08:07 -0700 (PDT)
Received: by iyb11 with SMTP id 11so1888252iyb.13 for <cfrg@irtf.org>; Fri, 15 Jul 2011 15:08:07 -0700 (PDT)
Received: by 10.43.49.66 with SMTP id uz2mr1304162icb.284.1310767687403; Fri, 15 Jul 2011 15:08:07 -0700 (PDT)
Received: from [192.168.11.149] ([75.5.246.246]) by mx.google.com with ESMTPS id t6sm1771924icj.3.2011.07.15.15.08.06 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 15 Jul 2011 15:08:06 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1084)
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <462E229B-F320-4431-8F7E-D5536A7386BC@qualcomm.com>
Date: Fri, 15 Jul 2011 15:08:04 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <235D72A3-FFEC-4836-873B-A0BD5F655803@krovetz.net>
References: <22798CA3-3D49-4652-A5DB-EC25ACCD245C@krovetz.net> <2B90DB3F-327A-45B3-B1AE-C8D19825CF31@krovetz.net> <87r55sc72o.fsf@latte.josefsson.org> <FD9110CA-6C21-492D-9DE3-027C77A0A31F@krovetz.net> <4FB2F68A-8B84-4953-A7B1-87D3E9DCEA2D@vpnc.org> <B89E1A56-0533-4420-B6C6-8B8F81BEC2CE@krovetz.net> <20110715173835.GI13721@randombit.net> <462E229B-F320-4431-8F7E-D5536A7386BC@qualcomm.com>
To: cfrg@irtf.org
X-Mailer: Apple Mail (2.1084)
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 22:08:08 -0000

> there must be an absolute prohibition on using the decryption results of an invalid packet

Yes, that is made explicit in the ID.

> I think part of the issue is that making something truly 'impossible' is quite a bit harder than it might sound, especially in the face of an active attacker who might well decide that the easiest way of breaking the system is to force it to reuse a nonce somehow

That's a problem. When using a scheme that demands nonce uniqueness, the probability of nonce reuse becomes a lower bound on design strength. The OCB ID suggests using a scheme (like SIV) that tollerates nonce reuse if nonce uniqueness cannot be guaranteed.