Re: [Cfrg] Request For Comments: OCB Internet-Draft

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 15 July 2011 15:35 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD61F21F84C7 for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2011 08:35:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.651
X-Spam-Level:
X-Spam-Status: No, score=-102.651 tagged_above=-999 required=5 tests=[AWL=-0.052, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2j1vN0m2vs2F for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2011 08:35:39 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1F021F88A5 for <cfrg@irtf.org>; Fri, 15 Jul 2011 08:35:37 -0700 (PDT)
Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p6FFZQwe037194 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 15 Jul 2011 08:35:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <FD9110CA-6C21-492D-9DE3-027C77A0A31F@krovetz.net>
Date: Fri, 15 Jul 2011 08:35:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FB2F68A-8B84-4953-A7B1-87D3E9DCEA2D@vpnc.org>
References: <22798CA3-3D49-4652-A5DB-EC25ACCD245C@krovetz.net> <2B90DB3F-327A-45B3-B1AE-C8D19825CF31@krovetz.net> <87r55sc72o.fsf@latte.josefsson.org> <FD9110CA-6C21-492D-9DE3-027C77A0A31F@krovetz.net>
To: Ted Krovetz <ted@krovetz.net>
X-Mailer: Apple Mail (2.1084)
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 15:35:39 -0000

On Jul 15, 2011, at 8:04 AM, Ted Krovetz wrote:

> In the ID we point out that if a nonce is reused during encryption, "partial information about past plaintexts will be revealed and subsequent forgeries will be possible". That seems specific enough for an RFC, don't you think?

If you know how "partial" that is, it would be useful for the draft. One repetition exposing one bit of a past plaintext is quite different than one repetition exposing half the bits, even though both are bad. Also, knowing what more two repetitions brings the attacker over one repetition is also useful from an operational standpoint.

--Paul Hoffman