OCB with 128-bit block sizes coming down the pike
29 views
Skip to first unread message
Jeffrey Walton
Sep 26, 2017, 12:14:25 PM9/26/17
to Crypto++ Users
Hi Everyone,
We should be checking-in OCB shortly. Its being prepared on my testing clone.
OCB mode is in the process of being widened for block sizes upto 1024-bit, but we are only supporting 128-bit block sizes. The wider sizes are trickier due to the bit twiddling so I'd like to have access to a few other implementations before we pull the trigger on wider sizes.
OCB mode is kind of tricky in general because AuthenticatedSymmetricCipher is not really designed for single pass AEAD modes. AuthenticatedSymmetricCipher was designed at a time when there was one single pass AEAD mode and it was patented. Just about everything other than OCB was double pass to avoid infringing on the patent.
Dual pass processing means the library assumes the encryptor and the authenticator are discrete components. When data is transformed there are two calls - one to encrypt/decrypt, and one to mac/verify. The current framework does not allow us to just encrypt, which is where the MAC'ing occurs with OCB (its literally an XOR into a running checksum), so we have to provide phony MessageAuthenticationCodes (the library is calling them whether needed or not).
A lot has changed since AEAD support was added. OCB is widely available for free for projects like Botan, Crypto++ and OpenSSL. And the CAESAR competition (https://competitions.cr.yp.to/caesar.html) is chocked full of the next generation single pass AEAD modes. I kinda feel like AuthenticatedSymmetricCipher needs a small update to better accommodate single pass modes. The rub is I don't have enough experience with the interfaces to know where to best apply the changes. At this point in time I think the best course of action is to "wait and see". Eventually the changes will become apparent.
Jeff
We should be checking-in OCB shortly. Its being prepared on my testing clone.
OCB mode is in the process of being widened for block sizes upto 1024-bit, but we are only supporting 128-bit block sizes. The wider sizes are trickier due to the bit twiddling so I'd like to have access to a few other implementations before we pull the trigger on wider sizes.
OCB mode is kind of tricky in general because AuthenticatedSymmetricCipher is not really designed for single pass AEAD modes. AuthenticatedSymmetricCipher was designed at a time when there was one single pass AEAD mode and it was patented. Just about everything other than OCB was double pass to avoid infringing on the patent.
Dual pass processing means the library assumes the encryptor and the authenticator are discrete components. When data is transformed there are two calls - one to encrypt/decrypt, and one to mac/verify. The current framework does not allow us to just encrypt, which is where the MAC'ing occurs with OCB (its literally an XOR into a running checksum), so we have to provide phony MessageAuthenticationCodes (the library is calling them whether needed or not).
A lot has changed since AEAD support was added. OCB is widely available for free for projects like Botan, Crypto++ and OpenSSL. And the CAESAR competition (https://competitions.cr.yp.to/caesar.html) is chocked full of the next generation single pass AEAD modes. I kinda feel like AuthenticatedSymmetricCipher needs a small update to better accommodate single pass modes. The rub is I don't have enough experience with the interfaces to know where to best apply the changes. At this point in time I think the best course of action is to "wait and see". Eventually the changes will become apparent.
Jeff
Jeffrey Walton
Oct 18, 2017, 2:29:51 AM10/18/17
to Crypto++ Users
We should be checking-in OCB shortly. Its being prepared on my testing clone.
I'm refraining from checking in OCB at the moment. We have a working implementation that performs well around 2.6 cpb, but it looks awful to me. I feel like it is a messy and sloppy implementation. I want to wait until it gets cleaned up and it feels right.
I was also talking to Jack Lloyd, and he provided some hints to get performance to around 2.0 cpb, so I want to work on that too.
If someone has a need, then I can share OCB mode privately until we get something more presentable.
Jeff
Reply all
Reply to author
Forward
0 new messages