Re: [Cfrg] Request For Comments: OCB Internet-Draft

Simon Josefsson <> Thu, 14 July 2011 08:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA0D721F8B1E for <>; Thu, 14 Jul 2011 01:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e2J77JqUMR1T for <>; Thu, 14 Jul 2011 01:00:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 61B3A21F87B9 for <>; Thu, 14 Jul 2011 01:00:56 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6E80ivi022903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 14 Jul 2011 10:00:47 +0200
From: Simon Josefsson <>
To: Ted Krovetz <>
References: <>
OpenPGP: id=B565716F; url=
Date: Thu, 14 Jul 2011 10:00:44 +0200
In-Reply-To: <> (Ted Krovetz's message of "Wed, 13 Jul 2011 09:42:21 -0700")
Message-ID: <>
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jul 2011 08:00:57 -0000

Ted Krovetz <> writes:

> I have just submitted an internet-draft for OCB to the IETF.
> I'd appreciate any comments you may have on how to make the draft better.

It would help if you explained (in the security considerations) what
happens if a nonce is repeated.  The question of failure modes of
authenticated encryption modes has come up in several different
contexts.  It turns out that different AEAD modes have different failure

In particular, you want to address whether repeat of a nonce leads to
immediate key disclosure, or whether the key can be found after some
computation faster than obvious attacks, or whether it can only lead to
recovery of the plaintext, and/or whether it depends on the plaintext as
well (e.g., something interesting happens if the plaintexts are related).

> There are several patents that may apply to OCB. We are in the process
> of trying to get all parties to pool their patents and liberalize
> their use.

Which patents?  According to the patent disclosure search, only these
have been disclosed:

If you are aware of other patents (or applications) that applies, it
would help if you send in a patent disclosure about it.