Re: [Cfrg] OCB test vectors reusing nonces

Matt Caswell <frodo@baggins.org> Thu, 23 January 2014 23:28 UTC

Return-Path: <frodo@baggins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848A01A00CB for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 15:28:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHBDaQBLtLK1 for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 15:28:25 -0800 (PST)
Received: from ns3.dns-engine.com (ns3.dns-engine.com [87.106.189.53]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1151A00C9 for <cfrg@irtf.org>; Thu, 23 Jan 2014 15:28:25 -0800 (PST)
Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by ns3.dns-engine.com (Postfix) with ESMTPSA id 231FA18002F7 for <cfrg@irtf.org>; Thu, 23 Jan 2014 23:28:14 +0000 (GMT)
Received: by mail-ie0-f182.google.com with SMTP id lx4so2026250iec.41 for <cfrg@irtf.org>; Thu, 23 Jan 2014 15:28:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lYlwntaQaenshsRORVz3bYE5XCJDhxt7KV1pBNVyYt8=; b=Ogs//buXxCqxo+j4F0/oSZChqPPsD2iHcQLpp4HxDo252kUCQ/mHpObdHsHmhnPRDX xZxRo6+GyHjK9ZiKABrY0KAkLsJRC8kY1Ec0e5UcpnSj3tLfW6TlCcUEogbNm4x7kJ5y /7mu64r0iKM6QKDE9wk7eNwndYfwV9kH6S7KRAdWQQFB5XtOdAWyPjddSBE96j/C7Mli SDoMLqOQtnyMqkyLyN203ukkq1v4KK+OdV1eUSyEIBLNNHlzSZlt4TH6oSjcDo2XKX/g FdsfnpXOFlZbn2PFxtnzQ1hKLiW2I+11THWxBxvMowByxA4puS9Cx1I7xP081/S/ktwq UEkQ==
MIME-Version: 1.0
X-Received: by 10.42.64.17 with SMTP id e17mr8393405ici.26.1390519693433; Thu, 23 Jan 2014 15:28:13 -0800 (PST)
Received: by 10.50.20.41 with HTTP; Thu, 23 Jan 2014 15:28:13 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1153850CDA3@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 23 Jan 2014 23:28:13 +0000
Message-ID: <CAMoSCWaaVcKUnd66XMdEtMpzDKTjxRjin1XwSDodb8YwRA+nvg@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] OCB test vectors reusing nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 23:28:28 -0000

On 23 January 2014 06:13, Manger, James <James.H.Manger@team.telstra.com> wrote:
> I have implemented OCB authenticated encryption as per
> draft-irtf-cfrg-ocb-05.
>
> I concur with the sample results in Appendix A.
>
>
>
> The sample results include 16 { aad, plaintext, ciphertext} tuples, but they
> are all for a tag length of 128.
>
> It would be nice to include 1 similar sample with another tag length (in
> addition to the final section of Appendix A that does include results for
> other tag lengths, but only after a more complex combination of 385
> encryptions).

For info, in my own OCB implementation I used the following additional
sample result with alternative tag length (96 bits). This was
generated using the reference implementation. Key and nonce as per the
other samples:

A: 000102030405060708090A0B0C0D0E0F1011121314151617
18191A1B1C1D1E1F2021222324252627
P: 000102030405060708090A0B0C0D0E0F1011121314151617
18191A1B1C1D1E1F2021222324252627
C:09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C21
4FF6567ADA08A96766FC4E2EE3E3A5A11B6C44F34E3ABB3CBF8976E7

I have validated this against my own implementation (a patch for
OpenSSL) available here:

https://rt.openssl.org/Ticket/Display.html?id=3181&user=guest&pass=guest

Regards

Matt