Re: [Cfrg] OCB test vectors reusing nonces

Matt Caswell <frodo@baggins.org> Tue, 28 January 2014 22:58 UTC

Return-Path: <frodo@baggins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71AC1A03E7 for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 14:58:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdEP0JtkOCJM for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 14:58:40 -0800 (PST)
Received: from ns3.dns-engine.com (ns3.dns-engine.com [87.106.189.53]) by ietfa.amsl.com (Postfix) with ESMTP id 42E451A026E for <cfrg@irtf.org>; Tue, 28 Jan 2014 14:58:40 -0800 (PST)
Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by ns3.dns-engine.com (Postfix) with ESMTPSA id E91A418002D8 for <cfrg@irtf.org>; Tue, 28 Jan 2014 22:58:24 +0000 (GMT)
Received: by mail-ie0-f170.google.com with SMTP id u16so1303251iet.15 for <cfrg@irtf.org>; Tue, 28 Jan 2014 14:58:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=H9sTYYf/tzrI52Wh+/AFUB9ATwWVTNEAc0a9rTZvTio=; b=mWIMdqc8mDxjkThmTOpoNh7HJYLg/Ia8JFd8Hs3uruVrBfRPhWA4zBRqd6Y5Q3AjHM f1vMrG27sTvg/CnD0/GdMx2JlE1Wi6mUA3Z80xsbuYbrB+h5Tb9vAh4sMuTvz89GfyRn g5DIHWHu5QyyQNqqVgb8mz27Zel+7R8RjuOgp4OnJM/qPblG6WIw3CiNjnsSbNn0ChEq Mamycdp3lZlQswerYwoW4k+Pne9EUky5RxPF9wjZpLPsICS9x7KC/9nUXLrMH6Duqf7a 30anPNM4ISUuv4DfNGtPsX01Y8qNMd13ojGftZqQaXKprU/XUWSnRUGW09FsBOLppqvM QvlQ==
MIME-Version: 1.0
X-Received: by 10.50.100.170 with SMTP id ez10mr25189596igb.15.1390949903105; Tue, 28 Jan 2014 14:58:23 -0800 (PST)
Received: by 10.50.20.41 with HTTP; Tue, 28 Jan 2014 14:58:23 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115386DFD48@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com> <6232F83F-A6F5-41C7-8EAD-B60EF8B11165@krovetz.net> <255B9BB34FB7D647A506DC292726F6E11538595640@WSMSG3153V.srv.dir.telstra.com> <5E4A161D-6631-4026-A432-F7C0DC200079@krovetz.net> <255B9BB34FB7D647A506DC292726F6E115386DFD48@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 28 Jan 2014 22:58:23 +0000
Message-ID: <CAMoSCWbdhwgrOLoCZ4PZu4xOz0D_hAS9UXiO+a=JPwiLEzn+uA@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 22:58:42 -0000

On 28 January 2014 05:21, Manger, James <James.H.Manger@team.telstra.com> wrote:
> Ted,
>
> Attached is my version of the updated test vectors for appendix A of draft-irtf-cfrg-ocb.
>
> The first 16 {N,A,P,C} tuples use incrementing nonces.
>
> I added one example with a 96-bit tag and a separate key (since we recommend using a single tag length with any given key). It uses the same nonce as the 128-bit tag example with the same A and P.
>
> The final examples use incrementing nonces.
>
> I made minor changes to the text.

I have successfully managed to verify all of these proposed test
vectors with my implementation of OCB.

However, I understood that one of your objectives for proposing a
change to the test vectors was to not reuse the same key and nonce
within the tests. This objective has not been achieved in the final
set of 9 more complex tests. Whilst you have incremented the nonce
between each encryption within a test, each test starts with an all
zero nonce and a fixed key.

Also - a more minor nit - your notation for incrementing the nonce
seems odd to me. The nonce is defined as a string of bytes - whereas
in your notation it is treated as an integer which can be incremented.

Matt