Dear all,
In OMD the tag length ($\tau$) is one of the “parameters” that must be selected and “fixed” before using the algorithms, NOT a variable-length input to the algorithms. Of course this “fixed parameter” can be selected as a number in the range [32, 256] (for OMD-sha256). Never in the description of OMD we have allowed or encouraged a variable length tag to be used with the same key.
This has been made completely clear throughout the description of the algorithm as is in the submission pack to CAESAR, where in more than one place we have explicitly mentioned it.
Although we thought that in many places inside the OMD submission pack it has been made clear that the tag length is a parameter of the algorithm, this will be even more clear from the Reference implementation pack of OMD-sha256 where for each set of recommended values for the parameters “(key length, nonce length, tag length)” (selected from their allowed ranges, i.e., $80 \leq k \leq 256$, $96 \leq |N| \leq 255$, and $32 \leq \tau \leq 256$) we have a different algorithm, for example “omdsha256k128n96tau64v1” and “omdsha256k128n96tau96v1” are two different algorithms which have the same key length (k=128), the same nonce length (n=96) but different tag lengths (\tau=64 and \tau=96).
The attack by Dobraunig et al. is based on mixing up the “flexibility” of OMD in providing different parameter sizes which is a strong point for OMD with what they assume as allowing variable-length inputs. Hence, it is not an attack against the OMD as described in the CAESAR submission.
Dobraunig et al. say that “OMD supports tag lengths t between 32 and 256. To prevent the above attack, the tag length t is included as a constant in the tag computation, so the smaller-sized tags are no longer prefixes of the longer-sized tags for the same K,N,A,P.” This is never said in the description of OMD and its security analysis; in fact, we note that replacing the tag length in the first block with any other constant (e.g. 0) will not affect the security proof of OMD at all.
We also note that Dobraunig et al.’s suggestion to “include
nonce and t in tag_a
in some way” might yield to an interesting new variant of OMD with the extra
feature of supporting variable-length tags, but this (variable-length tag
input) is not something which is supported in OMD.