IETF Logo Mail Archive

Re: [TLS] Inclusion of OCB mode in TLS 1.3

Alex Elsayed <eternaleye@gmail.com> Sun, 18 January 2015 12:06 UTC

Return-Path: <ietf-ietf-tls@m.gmane.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682CB1ACCEB for <tls@ietfa.amsl.com>; Sun, 18 Jan 2015 04:06:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.353
X-Spam-Level: **
X-Spam-Status: No, score=2.353 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, FSL_HELO_BARE_IP_2=1, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_NUMERIC_HELO=1.164, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TF2hqdDrtK-R for <tls@ietfa.amsl.com>; Sun, 18 Jan 2015 04:06:38 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D10C1ACCD9 for <tls@ietf.org>; Sun, 18 Jan 2015 04:06:37 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <ietf-ietf-tls@m.gmane.org>) id 1YCoci-0005Iw-Tu for tls@ietf.org; Sun, 18 Jan 2015 13:06:33 +0100
Received: from 66.87.139.239 ([66.87.139.239]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Sun, 18 Jan 2015 13:06:32 +0100
Received: from eternaleye by 66.87.139.239 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Sun, 18 Jan 2015 13:06:32 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: tls@ietf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Sun, 18 Jan 2015 04:06:23 -0800
Lines: 35
Message-ID: <m9g7k3$olu$1@ger.gmane.org>
References: <54B5501A.4070402@azet.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66.87.139.239
User-Agent: KNode/4.14.3
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8cWcynDDg4l7t56vCWLSs_L1zHY>
X-Mailman-Approved-At: Sun, 18 Jan 2015 11:38:38 -0800
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 12:06:41 -0000

Aaron Zauner wrote:

> Hi TLS-WG,
> 
> Over the last couple of days I've again looked into OCB, read the
> original paper as well as quite some literature on it, patents, CFRG
> discussion et cetera.
> 
> OCB looks like an elegant and parallel mode for inclusion in TLS.
> I've searched through recent TLS-WG discussion, OCB has been
> mentioned in passing as has EAX(2). When first looking into that my
> main concerns were:
> 
>    * IPR/patents: the authors have granted access to OSI licensed
>      software as well as to commercial (non military!) software for
>      all use [0] [1].
<snip>

Note that while the authors have licensed their patents, IIRC there are 
still concerns over whether the Gligor & Donescu or Jutla patents [1] apply.

In addition, I'd like to call the attention of the group to the CAESAR AEAD 
competition [2], in which there are multiple entrants (and Rogaway &c has 
submitted a new mode "AEZ" in addition to OCB). There is a mailing list [3] 
for discussion and a wiki [4] which has collected the entrants, similar to 
the SHA-3 Zoo.

One thing in particular that may be worth thinking about is that several of 
the modes proposed are nonce-misuse resistant, akin to SIV.


[1] 6,963,976, 6,973,187, 7,093,126, and 8,107,620.
[2] http://competitions.cr.yp.to/caesar.html
[3] https://groups.google.com/forum/#!forum/crypto-competitions
[4] http://aezoo.compute.dtu.dk/

v2.23.0 | Report a Bug | By Email