Re: [Cfrg] Request For Comments: OCB Internet-Draft

Jack Lloyd <> Fri, 15 July 2011 17:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DC43221F8567 for <>; Fri, 15 Jul 2011 10:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AG4KFpV472Ri for <>; Fri, 15 Jul 2011 10:38:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D0E8921F8563 for <>; Fri, 15 Jul 2011 10:38:36 -0700 (PDT)
Received: by (Postfix, from userid 1000) id B9B9A2F0015E; Fri, 15 Jul 2011 13:38:35 -0400 (EDT)
Date: Fri, 15 Jul 2011 13:38:35 -0400
From: Jack Lloyd <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 17:38:41 -0000

On Fri, Jul 15, 2011 at 09:45:06AM -0700, Ted Krovetz wrote:

> In my opinion the point of the nonce-reuse warning is to impress
> upon security engineers that catastrophe strikes if a nonce is
> reused during encryption, and so they should make nonce reuse
> impossible. If nonce reuse is impossible, then it is irrelevant how
> bad the damage is when nonces are reused.

I think part of the issue is that making something truly 'impossible'
is quite a bit harder than it might sound, especially in the face of
an active attacker who might well decide that the easiest way of
breaking the system is to force it to reuse a nonce somehow (this
seems especially likely in embedded systems, but a general system
might well be susceptible). Some plausible failure modes, like VM
state rollback [1], could even be attacked passively and

Someone building or deploying a system (ie the sort of person who
would read an i-d or RFC) might well want to understand exactly how
fragile the system is when misused, which lets them make a realistic
and informed judgement of the tradeoffs in choosing between different