Hi openpgp WGers,
This is the proposed patch to add OCB to 4880bis.
The proposed patch can be seen at this link and also attached below:
-
https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/8<https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/7>
commit 74052ffc18c60d5388475a34ffb78d82b3cecd65
Author: Ronald Tse
<ronald(_dot_)tse(_at_)ribose(_dot_)com<mailto:ronald(_dot_)tse(_at_)ribose(_dot_)com>>
Date: Wed Oct 25 17:01:25 2017 +0800
Propose addition of OCB mode to AEAD.
diff --git a/middle.mkd b/middle.mkd
index 686c1cf..835906b 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -2645,8 +2645,7 @@ A new random initialization vector MUST be used for each
message.
### EAX Mode
-The only currently defined AEAD algorithm is EAX Mode
-[](#EAX). This algorithm can only use block ciphers with 16-octet
+The EAX algorithm can only use block ciphers with 16-octet
blocks. The starting initialization vector and authentication tag are
both 16 octets long.
@@ -2660,6 +2659,51 @@ exclusive-oring the low eight octets of it with the
chunk index.
The security of EAX requires that the nonce is never reused, hence the
requirement that the starting initialization vector be unique.
+
+### OCB Mode
+
+The OCB Authenticated-Encryption Algorithm used in this document is
+defined in [](#RFC7253).
+
+OCB was initially defined in [](#OCB1) (now called "OCB1") for
+authenticated encryption, then as an authenticated encryption with
+associated data algorithm with tweakable blockciphers in [](#OCB2)
+("OCB2"), and finally with performance enhancements as [](#OCB3)
+("OCB3").
+
+The [](#RFC7253) algorithm differs from "OCB3" such that tag length
+is encoded into the internally formatted nonce.
+
+OCB usage requires specification of the following parameters:
+
+ * a blockcipher that operate on 128-bit (16-octet) blocks
+ * an authentication tag length of 128 bits
+
+While OCB [](#RFC7253) allows the authentication tag length to be of
+any number up to 128 bits long, this document requires a fixed
+authentication tag length of 128 bits (16 octets) for simplicity.
+
+The nonce for a chunk of chunk index "i" in OCB processing is defined
+as:
+
+ OCB-Nonce_{i} = IV[1..120] xor i
+
+Where,
+
+ * IV is the initialization vector of the message;
+ * IV[i..j] is the substring of IV consisting of bits i through j,
+ inclusive, in big-endian format.
+
+The value of OCB-Nonce_{i} is always 120 bits (15 octets) long as the
+longest allowed nonce length of OCB mode according to [](#RFC7253).
+
+Security of OCB mode depends on the non-repeated nature of nonces used
+for the same key on distinct plaintext [](#RFC7253). Therefore the
+initialization vector per message MUST be distinct, and OCB mode
+SHOULD only be used in environments when there is certainty to
+fulfilling this requirement.
+
+
# {6} Radix-64 Conversions
As stated in the introduction, OpenPGP's underlying native
@@ -3214,10 +3258,11 @@ SHOULD NOT use MD5 or RIPE-MD/160.
ID Algorithm
-------- ---------
1 EAX [](#EAX)
+ 2 OCB [](#RFC7253)
100--110 Private/Experimental algorithm
Implementations MUST implement EAX. Implementations MAY implement
-other algorithms.
+OCB and other algorithms.
# {10} IANA Considerations
diff --git a/reference.RFC.7253.xml b/reference.RFC.7253.xml
new file mode 100644
index 0000000..5e8cdf3
--- /dev/null
+++ b/reference.RFC.7253.xml
@@ -0,0 +1,13 @@
+<?xml version='1.0' encoding='UTF-8'?>
+
+<reference anchor='RFC7253' target='https://www.rfc-editor.org/info/rfc7253'>
+<front>
+<title>The OCB Authenticated-Encryption Algorithm</title>
+<author initials='T.' surname='Krovetz' fullname='T. Krovetz'><organization
/></author>
+<author initials='P.' surname='Rogaway' fullname='P. Rogaway'><organization
/></author>
+<date year='2014' month='May' />
+<abstract><t>This document specifies OCB, a shared-key blockcipher-based
encryption scheme that provides confidentiality and authenticity for plaintexts
and authenticity for associated data. This document is a product of the Crypto
Forum Research Group (CFRG).</t></abstract>
+</front>
+<seriesInfo name='RFC' value='7253'/>
+<seriesInfo name='DOI' value='10.17487/RFC7253'/>
+</reference>
diff --git a/template.xml b/template.xml
index 2527e28..28f0cac 100644
--- a/template.xml
+++ b/template.xml
@@ -22,6 +22,7 @@
<!ENTITY rfc.5639 PUBLIC '' 'reference.RFC.5639.xml'>
<!ENTITY rfc.5870 PUBLIC '' 'reference.RFC.5870.xml'>
<!ENTITY rfc.6090 PUBLIC '' 'reference.RFC.6090.xml'>
+ <!ENTITY rfc.7253 PUBLIC '' 'reference.RFC.7253.xml'>
<!ENTITY rfc.7748 PUBLIC '' 'reference.RFC.7748.xml'>
<!ENTITY iso.10646 PUBLIC '' 'reference.ISO.10646-1.1993.xml'>
<!ENTITY eddsa PUBLIC '' 'reference.I-D.irtf-cfrg-eddsa.xml'>
@@ -102,7 +103,35 @@
<author surname="Wagner" initials="D." />
<date year="2003" month="April" />
</front>
- </reference>
+ </reference>
+
+ <reference anchor='OCB1'>
+ <front>
+ <title>OCB: A Block-Cipher Mode of Operation for Efficient
Authenticated Encryption</title>
+ <author surname="Rogaway" initials="P." />
+ <author surname="Bellare" initials="M." />
+ <author surname="Black" initials="J." />
+ <author surname="Krovetz" initials="T." />
+ <date year="2001" month="April" />
+ </front>
+ </reference>
+
+ <reference anchor='OCB2'>
+ <front>
+ <title>Efficient Instantiations of Tweakable Blockciphers and
Refinements to Modes OCB and PMAC.</title>
+ <author surname="Rogaway" initials="P." />
+ <date year="2004" month="April" />
+ </front>
+ </reference>
+
+ <reference anchor='OCB3'>
+ <front>
+ <title>The Software Performance of Authenticated-Encryption
Modes</title>
+ <author surname="Krovetz" initials="T." />
+ <author surname="Rogaway" initials="P." />
+ <date year="2011" month="April" />
+ </front>
+ </reference>
<reference anchor='ELGAMAL'>
<front>
@@ -216,6 +245,7 @@
&rfc.4086;
&rfc.5639;
&rfc.5870;
+ &rfc.7253;
&rfc.7748;
&eddsa;
_____________________________________
Ronald Tse
Ribose Inc.
+=========================================================+
This message may contain confidential and/or privileged
information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation.
+=========================================================+
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp