[jose] Re: Add AES-OCB mode?
Richard Barnes <rlb@ipv.sx> Wed, 01 October 2025 04:47 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@mail2.ietf.org
Delivered-To: jose@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 227DF6BA3893 for <jose@mail2.ietf.org>; Tue, 30 Sep 2025 21:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6387tfWHt-g for <jose@mail2.ietf.org>; Tue, 30 Sep 2025 21:47:27 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 676D56BA3889 for <jose@ietf.org>; Tue, 30 Sep 2025 21:47:27 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id ca18e2360f4ac-917be46c59bso443799039f.1 for <jose@ietf.org>; Tue, 30 Sep 2025 21:47:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1759294039; x=1759898839; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=E+fD6+WFU+49Xy4shywLVoZ73ZjYmWSwCa/oIAuwQnE=; b=ztw9k5b64aNZIZpCHs/3lzuJ+ieZFxT3tNyeEt+kPiRBkRPJjGVtYEcC6/9qUhH4Z1 CmqvBF31MxMAjdwvtI4nyGrz/n5MyEGRdUWIoN7uBNvvo/mz7cHuSsEctfaOO3D9OSnA UwMrxuYmafyvs9mrrm8PpUcFep7fA9QqK4aOrqbI9VFuAwKGbyHabjjEFQvet1MfYfnm oUHhPdrZeA1RCXnkpzd9Kf4RZsNjD7wLWW3DyaBLC8CGywI5Yt0U+alt7Q6tsrya37pi l3GHleGDrLJ8BiFWgwzKI/dIWWQcufULLq/xXxKLbVlIQXzC1Alx6f9ohegNOK6ixTQx 1ZzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759294039; x=1759898839; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=E+fD6+WFU+49Xy4shywLVoZ73ZjYmWSwCa/oIAuwQnE=; b=gz1jlD6EoyT/OlyHORNcWJrU8ZRABDkEAsccqIQBfNLBAkoiEBEclrtuObCro2Y1QP 9d5AizonP68I8UB6KzuJWoF6j0bbkqSK9joREEoFETPkh44Tn63zvg4gP1FZsBAx0scI pNYuA8c4wcqzBOBFm0I0XqFpUcUwghg0cemerGZKphvvzhpEAz1vMYSWXzuHRAQCUsti YkQxx53WMNvJcotU+Xrh0Nf+cbdsSrH4tPZdCyhFN1zCQPOwcnp13k+c3KBK0ICYiQ63 1c/T8axzfsRhemET0xfck/5+yp4xuRIMLu9DbkfXRuvb+fot0WmAFDS2uUV4JvU7AAvU h9PQ==
X-Forwarded-Encrypted: i=1; AJvYcCXjAiBqEXZFKPWnI48GGyy5B+vOoRZ+YM5XSTqI1RObZodORLMpXJJEwTcQpKujC1Jybnvb@ietf.org
X-Gm-Message-State: AOJu0YxzRJHpbgqs+U+TWjy6vhkBd9hcL9TEQwrDmsH3k7NhFSSlEh79 DmIuy6zrC/uOo+sJUoLw0jdGwxgco6n1QOMeX23EU3cl7fCxyB/xQpRgq5ddU9rfXk2UWf7Dmlh khQMf0RGtH63Gv58tgFnU6E1//RQ9ACcplHkEWgVvsQ==
X-Gm-Gg: ASbGncuSzzP36fyR71f23LIZw8AA2CzT4vHcTtdGlmjYYUIC4H2x57HnAB7fFatcYC+ avZXJqRDAchZ38YsMzSvrCRx5E+1qaU7dZUGy7JNH39Ih7EZyXnVi4BFYcLCmR74QuQpaST06eU 33kBsOpYg78KE9fpxuUHKHQ5WcbsA0ov0a+7WgXmbYWawhmrovbPPoEM1VmsxiDB3Jq39C4paZ/ Nq/VcHQZ6c3RSl5hlDWDbatcQIX
X-Google-Smtp-Source: AGHT+IG5JpUpwdmA+9NUCDQ9X2LLiJ9BbAZA2hxIYLrwkMFu4R23VtihT26IYo83ilKEssHUVeMCiLTJVAhcVrFb8Pk=
X-Received: by 2002:a05:6e02:1aa7:b0:428:f19b:2947 with SMTP id e9e14a558f8ab-42d8159ea64mr39637105ab.6.1759294039563; Tue, 30 Sep 2025 21:47:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwgfhyciLkzsWqX=Qqb-40=ia9a+ESEa2A9p8PNY9PUh1g@mail.gmail.com> <F0AB9726-A62E-4AA9-B358-44A344AC5894@runbox.eu> <GVXPR07MB9678259E45FDB02947AF9C40891BA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMm+LwjxgwgoeQn42HHZoe4FA3YMFM1Kr1Yt63O5XkhVnhf=jQ@mail.gmail.com> <GVXPR07MB96785F1CF8716B3F79C34249891BA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMm+Lwgh+DfiJr4C12OK4EyGXeevdQizDOZo0H80wSNruPZMwg@mail.gmail.com>
In-Reply-To: <CAMm+Lwgh+DfiJr4C12OK4EyGXeevdQizDOZo0H80wSNruPZMwg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 30 Sep 2025 18:47:08 -1000
X-Gm-Features: AS18NWAygVWmLyy_6BNEiNb-NGR_YmC3851RqqfVzfASs_g1SgBTQXXWHzaH47E
Message-ID: <CAL02cgSNxKMtsLGoyoVQa95r0CDnRTE7c5RTtJvuTmOMbDcqrg@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="00000000000048b60d064011906f"
Message-ID-Hash: BWGO5P4WTS3HJZXJTCX2A2JLBG6FG4TI
X-Message-ID-Hash: BWGO5P4WTS3HJZXJTCX2A2JLBG6FG4TI
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Mattsson <john.mattsson@ericsson.com>, Neil Madden <neil.e.madden@runbox.eu>, "jose@ietf.org" <jose@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Re: Add AES-OCB mode?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/A7yJ90Bjt5dzGK-fMi7VQUz019c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Phil: The registry is Specification Required. You can just send email to IANA, there's no need to get the WG to approve it. https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms On Tue, Sep 30, 2025 at 6:17 PM Phillip Hallam-Baker <phill@hallambaker.com> wrote: > The reason I prefer OCB over GCM is that the plaintext is one of the > inputs to the block function in OCB while in GCM it does not. GCM converts > AES into a stream cipher. > > So yes, nonce reuse does leak some information. It means that an attacker > presented with two plaintexts encrypted under the same nonce can see if > blocks are the same or different. That is potentially a pretty serious > security concern. > > But it isn't the rake stomp you get from GCM. If you reuse the same nonce > with GCM I can immediately work out the XOR of the two plaintexts and that > is more than enough to recover both plaintexts if the input is text. > > There is a difference and that difference is one of the reasons I am a bit > wary of folk who seem to think formal methods are a magic wand, they are > not. > > > Given that NIST is going to have to look for functions that do prevent the > type of attack OCB is vulnerable to, it is pretty clear that they have to > guarantee the ciphertext depends on every bit of plaintext and they are > going to require multiple passes. > > That means that the only way to achieve efficient encoding and nonce reuse > resilience is going to be something like GCM-SIV on individual chunks of > plaintext. I would still prefer OCB-SIV,... but there are more interesting > windmills to tilt at right now. > > > What this means is that it would be useful to have an envelope format that > allowed the Payload to specify the chunking for decryption purposes. Then > GCM-SIV can be used on each chunk in turn and whatever accordion functions > NIST might provide can fit into the same slot. > > > > > On Mon, Sep 29, 2025 at 12:35 PM John Mattsson <john.mattsson@ericsson.com> > wrote: > >> >Certainly hard to see Prof Rogaway being involved >> >> >> >> He was invited to the first workshop in 2023 to have a keynote on block >> ciphers and surprised everybody by instead talking about radical CS :) >> >> >> https://csrc.nist.gov/csrc/media/Presentations/2023/radical-cs/images-media/sess-1-rogaway-bcm-workshop-2023.pdf >> >> >if there is an effort to develop new modes. >> >> >> >> But note that NIST accordions will very likely be two-pass so that the >> last bit in the plaintext can affect the first bit in the ciphertext. There >> are limits to what you can do with one pass. >> >> >> >> Cheers, >> John >> >> *From: *Phillip Hallam-Baker <phill@hallambaker.com> >> *Date: *Monday, 29 September 2025 at 18:15 >> *To: *John Mattsson <john.mattsson@ericsson.com> >> *Cc: *Neil Madden <neil.e.madden@runbox.eu>, jose@ietf.org <jose@ietf.org >> > >> *Subject: *Re: [jose] Re: Add AES-OCB mode? >> >> On Sun, Sep 28, 2025 at 11:53 PM John Mattsson < >> john.mattsson@ericsson.com> wrote: >> >> Hi Phillip, >> >> For robustness I would wait for NIST accordions. >> >> https://csrc.nist.gov/pubs/sp/800/197/a/iprd >> >> >> >> Oohhh, very interesting. Just have to wonder if it is going to continue >> given the random nature of US government under this administration. >> Certainly hard to see Prof Rogaway being involved given his current >> focus and he essentially invented the construct. >> >> >> >> On the other hand, if the effort does bring a community of cryptographers >> together to work on this topic, it probably won't be too hard for that work >> to find a home if there is some peculiar event. >> >> >> >> >> >> RFC 7253 already have very good text on the nonce reuse properties: >> >> >> >> It is crucial that, as one encrypts, one does not repeat a nonce. >> >> The inadvertent reuse of the same nonce by two invocations of the OCB >> >> encryption operation, with the same key, but with distinct plaintext >> >> values, undermines the confidentiality of the plaintexts protected in >> >> those two invocations and undermines all of the authenticity and >> >> integrity protection provided by that key. For this reason, OCB >> >> should only be used whenever nonce uniqueness can be provided with >> >> certainty. >> >> >> >> Start with reading RFC 7253 and decide if you want to proceed. Unclear >> how you wanted to do the registrations. The JSON Web Signature and >> Encryption Algorithms is Specification Required. >> >> >> >> Yeah, undermining is not the same as the rake-stomp effect of reusing the >> nonce in GCM. But this is obviously not the time to go further down the OCB >> road if there is an effort to develop new modes. >> >> >> >> >> >> >> >> > A128OCB, A192OCB, and A256OCB >> >> I don’t think I have ever seen anyone use AES-192, and can we just call >> it them AES-128-OCB and AES-256-OCB. A person from NIST recently asked me >> why I used so weird terminology, and I had to explain its JOSE’s fault :) >> >> >> >> >> Oh I agree there. I think there is almost no situation where 128 is going >> to be insufficient when I am not going to go to 256. >> >> >> >> I went even further in my designs for the Mesh, I only use AES-256, >> SHA-2-512 and SHA-3-512/SHAKE256. If I want a shorter digest, I truncate. >> >> >> >> >> > _______________________________________________ > jose mailing list -- jose@ietf.org > To unsubscribe send an email to jose-leave@ietf.org >
- [jose] Add AES-OCB mode? Phillip Hallam-Baker
- [jose] Re: Add AES-OCB mode? Neil Madden
- [jose] Re: Add AES-OCB mode? Phillip Hallam-Baker
- [jose] Re: Add AES-OCB mode? Neil Madden
- [jose] Re: Add AES-OCB mode? John Mattsson
- [jose] Re: Add AES-OCB mode? Phillip Hallam-Baker
- [jose] Re: Add AES-OCB mode? John Mattsson
- [jose] Re: Add AES-OCB mode? Phillip Hallam-Baker
- [jose] Re: Add AES-OCB mode? Phillip Hallam-Baker
- [jose] Re: Add AES-OCB mode? Richard Barnes