Re: [Cfrg] Request For Comments: OCB Internet-Draft

Simon Josefsson <> Fri, 15 July 2011 15:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 362EE21F875C for <>; Fri, 15 Jul 2011 08:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Lbv2PjIuqJek for <>; Fri, 15 Jul 2011 08:09:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4ED7521F862E for <>; Fri, 15 Jul 2011 08:09:10 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6FF91vM014383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 15 Jul 2011 17:09:05 +0200
From: Simon Josefsson <>
To: Ted Krovetz <>
References: <> <> <> <>
OpenPGP: id=B565716F; url=
Date: Fri, 15 Jul 2011 17:09:01 +0200
In-Reply-To: <> (Ted Krovetz's message of "Fri, 15 Jul 2011 08:04:08 -0700")
Message-ID: <>
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 15:09:11 -0000

Ted Krovetz <> writes:

>> Are there any implications for the key if a nonce is repeated?  Let's
>> say I use the same nonce all the time, and the attacker can do
>> known-plaintext attacks.  Can the attacker recover the key faster than
>> he would be able to if the nonces were not repeated?
> No. The only place the OCB key is used is as the key for AES. So, if
> one were able to recover OCB keys in the way you suggest, one would in
> effect have an AES key-extraction method. Since we don't think AES is
> susceptible to key-extraction, neither is OCB.
>> I'm trying to get AEAD cipher modes to say more than just "the security
>> properties are lost" when talking about failure modes.  "security
>> properties are lost" can mean so many things, and it is useful to be
>> able to rule out some unwanted side effects.
> In the ID we point out that if a nonce is reused during encryption,
> "partial information about past plaintexts will be revealed and
> subsequent forgeries will be possible". That seems specific enough for
> an RFC, don't you think?

Yes, thank you very much for clarifying!