[Cryptography] Derive IV from time in ticks.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Feb 6 20:07:40 EST 2023 

Phillip Hallam-Baker <phill at hallambaker.com> writes:

>Do you have a link for that? The whole point of OCB was not to fail
>catastrophically like GCM does.

Either the OP is getting OCB confused with GCM or they've read too much into
the somewhat dramatic statements in various OCB papers that nonce reuse is
terrible and we're all going to die.  The difference is that nonce reuse with
GCM leads to a catastrophic failure of both confidentiality and integrity
while with OCB it bruises confidentiality and... would have to re-read one of
the papers to see specifically what it does to integrity.

The rule-of-thumb test for how safe (or unsafe) an encryption mode is is
whether it drops to being worse than ECB, the canonical worst encryption mode,
on trivial implementation mistakes like nonce reuse.  GCM easily fails that
test, while OCB, and most if not all other non-stream-cipher modes, don't.

Instead of the near-mandatory proofs of something-or-other that no recent
paper can come without, publications introducing new cipher modes should be
required to include a table of failure modes for all of the common
implementation mistakes that we see over and over and over again: What happens
when you reuse a key?  What happens when you reuse a nonce?  What happens when
you reuse a nonce and key?  What happens when ...  And, alongside all that,
does it pass the ECB test?

I've just been reading a paper on the lack of key commitment in AEAD modes
(you know that when people like Ange Albertini and Thai Doung co-author a
paper it's going to be a doozy :-), GCM being the poster child again for this
particular vulnerability.  The recommended fix to the problem is to do what
CBC mode has been doing for about half a century or so, add recognisable-on-
decryption padding to it (and in the case of CBC, HMAC it if you need the 'A'
part of the 'AE').

That's one thing that CBC+HMAC have that none of the fancy combined modes do
(or at least the ones that don't require two passes over the data), it's
pretty damn difficult to misuse.  Reuse keys, reuse nonces, use an all-zero
nonce, the worst you can possibly do is bruise the confidentiality slightly.

So here's a second litmus test to go alongside the ECB one: Your life depends
on carrying out secret communications with someone.  They don't have a copy of
PGP but they do have a compiler handy.  Do you tell them to implement GCM,
OCB, or CBC+HMAC?

Peter.

More information about the cryptography mailing list