ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

2017-10-25 20:47:14
Hi Werner, Rick and Paul,

Werner, thanks for the tip. I’ve just sent the proposed patches to the mailing 
list as you probably already see it.

Rick, Paul,

The benefits of OCB mode are best explained on this page:
http://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm

In comparison with EAX which is already included in 4880bis, OCB is fully 
parallelizable for encryption/decryption and authentication (EAX authentication 
is serial). It is a single-pass algorithm (EAX is 2-pass), and is currently the 
only widely accepted AEAD mode that is endian-independent (EAX is 
endian-dependent), which makes implementation easier.

Performance of OCB is superior to EAX and is probably the fastest among 
accepted AEAD competitors, which is compared in this paper:
https://www.fi.muni.cz/~xsvenda/docs/AE_comparison_ipics04.pdf

This paper states that with 16 byte messages, EAX requires 227.09 cycles per 
byte (6 blockcipher invocations), while OCB only 118.91 (3 blockcipher 
invocations) cycles are needed.

In addition, Krovetz and Rogaway have also made the effort to standardize OCB 
in RFC 7254, providing a stable IETF reference, and also included OCB-AES in 
the IANA registry for AEAD parameter sets (RFC 5116), which EAX is not present:
https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml

Another thought is to actually refer to the IANA registry for OpenPGP supported 
AEAD algorithms, but that might be a topic for another day.

Kind regards,
Ron

_____________________________________

Ronald Tse
Ribose Inc.

+=========================================================+
This message may contain confidential and/or privileged
information.  If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein.  If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.
+=========================================================+

On Oct 26, 2017, at 12:47 AM, Rick van Rein 
<rick(_at_)openfortress(_dot_)nl<mailto:rick(_at_)openfortress(_dot_)nl>> wrote:

Hi,

Adding algorithms is easy. Removing them is hard. That should raise the
bar for adding new ones.

I second that.  There should be a good reason for adding new algorithms.
(Which is always subjective because it is really helpful to have things
to fall back on when a part fails, security-wise.)

Along the same lines I'm also surprised that no effort has been made to
deprecate 2.x PGP packet formats and public key formats, for instance.
We all know that such old keys don't have a reason to exist anymore,
but we're all still coding the old and new in order to be compliant to
the standards.  Such a waste of time...

-Rick

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp