One document matched: draft-krovetz-ocb-02.ps
%!PS-Adobe-3.0
%%BoundingBox: 18 36 577 806
%%Title: Enscript Output
%%Creator: GNU Enscript 1.6.5.2
%%CreationDate: Fri Jul 15 02:17:34 2011
%%Orientation: Portrait
%%Pages: (atend)
%%DocumentMedia: A4 595 842 0 () ()
%%DocumentNeededResources: (atend)
%%EndComments
%%BeginProlog
%%BeginResource: procset Enscript-Prolog 1.6.5 2
%
% Procedures.
%
/_S { % save current state
/_s save def
} def
/_R { % restore from saved state
_s restore
} def
/S { % showpage protecting gstate
gsave
showpage
grestore
} bind def
/MF { % fontname newfontname -> - make a new encoded font
/newfontname exch def
/fontname exch def
/fontdict fontname findfont def
/newfont fontdict maxlength dict def
fontdict {
exch
dup /FID eq {
% skip FID pair
pop pop
} {
% copy to the new font dictionary
exch newfont 3 1 roll put
} ifelse
} forall
newfont /FontName newfontname put
% insert only valid encoding vectors
encoding_vector length 256 eq {
newfont /Encoding encoding_vector put
} if
newfontname newfont definefont pop
} def
/MF_PS { % fontname newfontname -> - make a new font preserving its enc
/newfontname exch def
/fontname exch def
/fontdict fontname findfont def
/newfont fontdict maxlength dict def
fontdict {
exch
dup /FID eq {
% skip FID pair
pop pop
} {
% copy to the new font dictionary
exch newfont 3 1 roll put
} ifelse
} forall
newfont /FontName newfontname put
newfontname newfont definefont pop
} def
/SF { % fontname width height -> - set a new font
/height exch def
/width exch def
findfont
[width 0 0 height 0 0] makefont setfont
} def
/SUF { % fontname width height -> - set a new user font
/height exch def
/width exch def
/F-gs-user-font MF
/F-gs-user-font width height SF
} def
/SUF_PS { % fontname width height -> - set a new user font preserving its enc
/height exch def
/width exch def
/F-gs-user-font MF_PS
/F-gs-user-font width height SF
} def
/M {moveto} bind def
/s {show} bind def
/Box { % x y w h -> - define box path
/d_h exch def /d_w exch def /d_y exch def /d_x exch def
d_x d_y moveto
d_w 0 rlineto
0 d_h rlineto
d_w neg 0 rlineto
closepath
} def
/bgs { % x y height blskip gray str -> - show string with bg color
/str exch def
/gray exch def
/blskip exch def
/height exch def
/y exch def
/x exch def
gsave
x y blskip sub str stringwidth pop height Box
gray setgray
fill
grestore
x y M str s
} def
/bgcs { % x y height blskip red green blue str -> - show string with bg color
/str exch def
/blue exch def
/green exch def
/red exch def
/blskip exch def
/height exch def
/y exch def
/x exch def
gsave
x y blskip sub str stringwidth pop height Box
red green blue setrgbcolor
fill
grestore
x y M str s
} def
% Highlight bars.
/highlight_bars { % nlines lineheight output_y_margin gray -> -
gsave
setgray
/ymarg exch def
/lineheight exch def
/nlines exch def
% This 2 is just a magic number to sync highlight lines to text.
0 d_header_y ymarg sub 2 sub translate
/cw d_output_w cols div def
/nrows d_output_h ymarg 2 mul sub lineheight div cvi def
% for each column
0 1 cols 1 sub {
cw mul /xp exch def
% for each rows
0 1 nrows 1 sub {
/rn exch def
rn lineheight mul neg /yp exch def
rn nlines idiv 2 mod 0 eq {
% Draw highlight bar. 4 is just a magic indentation.
xp 4 add yp cw 8 sub lineheight neg Box fill
} if
} for
} for
grestore
} def
% Line highlight bar.
/line_highlight { % x y width height gray -> -
gsave
/gray exch def
Box gray setgray fill
grestore
} def
% Column separator lines.
/column_lines {
gsave
.1 setlinewidth
0 d_footer_h translate
/cw d_output_w cols div def
1 1 cols 1 sub {
cw mul 0 moveto
0 d_output_h rlineto stroke
} for
grestore
} def
% Column borders.
/column_borders {
gsave
.1 setlinewidth
0 d_footer_h moveto
0 d_output_h rlineto
d_output_w 0 rlineto
0 d_output_h neg rlineto
closepath stroke
grestore
} def
% Do the actual underlay drawing
/draw_underlay {
ul_style 0 eq {
ul_str true charpath stroke
} {
ul_str show
} ifelse
} def
% Underlay
/underlay { % - -> -
gsave
0 d_page_h translate
d_page_h neg d_page_w atan rotate
ul_gray setgray
ul_font setfont
/dw d_page_h dup mul d_page_w dup mul add sqrt def
ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
draw_underlay
grestore
} def
/user_underlay { % - -> -
gsave
ul_x ul_y translate
ul_angle rotate
ul_gray setgray
ul_font setfont
0 0 ul_h_ptsize 2 div sub moveto
draw_underlay
grestore
} def
% Page prefeed
/page_prefeed { % bool -> -
statusdict /prefeed known {
statusdict exch /prefeed exch put
} {
pop
} ifelse
} def
% Wrapped line markers
/wrapped_line_mark { % x y charwith charheight type -> -
/type exch def
/h exch def
/w exch def
/y exch def
/x exch def
type 2 eq {
% Black boxes (like TeX does)
gsave
0 setlinewidth
x w 4 div add y M
0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
closepath fill
grestore
} {
type 3 eq {
% Small arrows
gsave
.2 setlinewidth
x w 2 div add y h 2 div add M
w 4 div 0 rlineto
x w 4 div add y lineto stroke
x w 4 div add w 8 div add y h 4 div add M
x w 4 div add y lineto
w 4 div h 8 div rlineto stroke
grestore
} {
% do nothing
} ifelse
} ifelse
} def
% EPSF import.
/BeginEPSF {
/b4_Inc_state save def % Save state for cleanup
/dict_count countdictstack def % Count objects on dict stack
/op_count count 1 sub def % Count objects on operand stack
userdict begin
/showpage { } def
0 setgray 0 setlinecap
1 setlinewidth 0 setlinejoin
10 setmiterlimit [ ] 0 setdash newpath
/languagelevel where {
pop languagelevel
1 ne {
false setstrokeadjust false setoverprint
} if
} if
} bind def
/EndEPSF {
count op_count sub { pos } repeat % Clean up stacks
countdictstack dict_count sub { end } repeat
b4_Inc_state restore
} bind def
% Check PostScript language level.
/languagelevel where {
pop /gs_languagelevel languagelevel def
} {
/gs_languagelevel 1 def
} ifelse
%%EndResource
%%BeginResource: procset Enscript-Encoding-88591 1.6.5 2
/encoding_vector [
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclam /quotedbl /numbersign
/dollar /percent /ampersand /quoteright
/parenleft /parenright /asterisk /plus
/comma /hyphen /period /slash
/zero /one /two /three
/four /five /six /seven
/eight /nine /colon /semicolon
/less /equal /greater /question
/at /A /B /C
/D /E /F /G
/H /I /J /K
/L /M /N /O
/P /Q /R /S
/T /U /V /W
/X /Y /Z /bracketleft
/backslash /bracketright /asciicircum /underscore
/quoteleft /a /b /c
/d /e /f /g
/h /i /j /k
/l /m /n /o
/p /q /r /s
/t /u /v /w
/x /y /z /braceleft
/bar /braceright /tilde /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclamdown /cent /sterling
/currency /yen /brokenbar /section
/dieresis /copyright /ordfeminine /guillemotleft
/logicalnot /hyphen /registered /macron
/degree /plusminus /twosuperior /threesuperior
/acute /mu /paragraph /bullet
/cedilla /onesuperior /ordmasculine /guillemotright
/onequarter /onehalf /threequarters /questiondown
/Agrave /Aacute /Acircumflex /Atilde
/Adieresis /Aring /AE /Ccedilla
/Egrave /Eacute /Ecircumflex /Edieresis
/Igrave /Iacute /Icircumflex /Idieresis
/Eth /Ntilde /Ograve /Oacute
/Ocircumflex /Otilde /Odieresis /multiply
/Oslash /Ugrave /Uacute /Ucircumflex
/Udieresis /Yacute /Thorn /germandbls
/agrave /aacute /acircumflex /atilde
/adieresis /aring /ae /ccedilla
/egrave /eacute /ecircumflex /edieresis
/igrave /iacute /icircumflex /idieresis
/eth /ntilde /ograve /oacute
/ocircumflex /otilde /odieresis /divide
/oslash /ugrave /uacute /ucircumflex
/udieresis /yacute /thorn /ydieresis
] def
%%EndResource
%%EndProlog
%%BeginSetup
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier
/HFpt_w 10 def
/HFpt_h 10 def
/Courier-Bold /HF-gs-font MF
/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
/Courier /F-gs-font MF
/F-gs-font 12 12 SF
/#copies 1 def
% Pagedevice definitions:
gs_languagelevel 1 gt {
<<
/PageSize [595 842]
>> setpagedevice
} if
/d_page_w 559 def
/d_page_h 770 def
/d_header_x 0 def
/d_header_y 770 def
/d_header_w 559 def
/d_header_h 0 def
/d_footer_x 0 def
/d_footer_y 0 def
/d_footer_w 559 def
/d_footer_h 0 def
/d_output_w 559 def
/d_output_h 770 def
/cols 1 def
%%EndSetup
%%Page: (1) 1
%%BeginPageSetup
_S
18 36 translate
/pagenum 1 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 716 M
(Internet Engineering Task Force T. Krovetz) s
5 703 M
(Internet-Draft Sacramento State) s
5 690 M
(Intended status: Informational P. Rogaway) s
5 677 M
(Expires: January 16, 2012 UC Davis) s
5 664 M
( July 15, 2011) s
5 625 M
( The OCB Authenticated-Encryption Algorithm) s
5 612 M
( draft-krovetz-ocb-02) s
5 586 M
(Abstract) s
5 560 M
( This document specifies OCB, a shared-key blockcipher-based) s
5 547 M
( encryption scheme that provides privacy and authenticity for) s
5 534 M
( plaintexts and authenticity for associated data.) s
5 508 M
(Status of this Memo) s
5 482 M
( This Internet-Draft is submitted in full conformance with the) s
5 469 M
( provisions of BCP 78 and BCP 79.) s
5 443 M
( Internet-Drafts are working documents of the Internet Engineering) s
5 430 M
( Task Force \(IETF\). Note that other groups may also distribute) s
5 417 M
( working documents as Internet-Drafts. The list of current Internet-) s
5 404 M
( Drafts is at http://datatracker.ietf.org/drafts/current/.) s
5 378 M
( Internet-Drafts are draft documents valid for a maximum of six months) s
5 365 M
( and may be updated, replaced, or obsoleted by other documents at any) s
5 352 M
( time. It is inappropriate to use Internet-Drafts as reference) s
5 339 M
( material or to cite them other than as "work in progress.") s
5 313 M
( This Internet-Draft will expire on January 16, 2012.) s
5 287 M
(Copyright Notice) s
5 261 M
( Copyright \(c\) 2011 IETF Trust and the persons identified as the) s
5 248 M
( document authors. All rights reserved.) s
5 222 M
( This document is subject to BCP 78 and the IETF Trust's Legal) s
5 209 M
( Provisions Relating to IETF Documents) s
5 196 M
( \(http://trustee.ietf.org/license-info\) in effect on the date of) s
5 183 M
( publication of this document. Please review these documents) s
5 170 M
( carefully, as they describe your rights and restrictions with respect) s
5 157 M
( to this document. Code Components extracted from this document must) s
5 144 M
( include Simplified BSD License text as described in Section 4.e of) s
5 131 M
( the Trust Legal Provisions and are provided without warranty as) s
5 118 M
( described in the Simplified BSD License.) s
5 53 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 1]) s
_R
S
%%Page: (2) 2
%%BeginPageSetup
_S
18 36 translate
/pagenum 2 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
(Table of Contents) s
5 677 M
( 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3) s
5 664 M
( 2. Notation and Basic Operations . . . . . . . . . . . . . . . . 4) s
5 651 M
( 3. OCB Global Parameters . . . . . . . . . . . . . . . . . . . . 5) s
5 638 M
( 3.1. Named OCB Parameter Sets and RFC 5116 Constants . . . . . 5) s
5 625 M
( 4. OCB Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 6) s
5 612 M
( 4.1. Associated-Data Processing: HASH . . . . . . . . . . . . . 6) s
5 599 M
( 4.2. Encryption: OCB-ENCRYPT . . . . . . . . . . . . . . . . . 8) s
5 586 M
( 4.3. Decryption: OCB-DECRYPT . . . . . . . . . . . . . . . . . 9) s
5 573 M
( 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11) s
5 560 M
( 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12) s
5 547 M
( 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13) s
5 534 M
( 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13) s
5 521 M
( 8.1. Normative References . . . . . . . . . . . . . . . . . . . 13) s
5 508 M
( 8.2. Informative References . . . . . . . . . . . . . . . . . . 13) s
5 495 M
( Appendix A. Sample Results . . . . . . . . . . . . . . . . . . . 14) s
5 482 M
( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 2]) s
_R
S
%%Page: (3) 3
%%BeginPageSetup
_S
18 36 translate
/pagenum 3 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
(1. Introduction) s
5 677 M
( Schemes for authenticated encryption \(AE\) simultaneously provide for) s
5 664 M
( privacy and authentication. While this goal would traditionally be) s
5 651 M
( achieved by melding separate encryption and authentication) s
5 638 M
( mechanisms, each using its own key, integrated AE schemes intertwine) s
5 625 M
( what is needed for privacy and what is needed for authenticity. By) s
5 612 M
( conceptualizing AE as a single cryptographic goal, AE schemes are) s
5 599 M
( less likely to be misused than conventional encryption schemes.) s
5 586 M
( Also, integrated AE schemes can be significantly faster than what one) s
5 573 M
( sees from composing separate privacy and authenticity means.) s
5 547 M
( When an AE scheme allows for the authentication of unencrypted data) s
5 534 M
( at the same time that a plaintext is being encrypted and) s
5 521 M
( authenticated, the scheme is an authenticated encryption with) s
5 508 M
( associated data \(AEAD\) scheme. Associated data can be useful when,) s
5 495 M
( for example, a network packet has unencrypted routing information and) s
5 482 M
( an encrypted payload.) s
5 456 M
( OCB is an AEAD scheme that depends on a blockcipher [4]. This) s
5 443 M
( document fully defines OCB encryption and decryption except for the) s
5 430 M
( choice of the blockcipher and the length of authentication tag that) s
5 417 M
( is part of the ciphertext. The blockcipher must have a 128-bit) s
5 404 M
( blocksize. Each choice of blockcipher and tag length specifies a) s
5 391 M
( different variant of OCB. Several AES-based variants are defined in) s
5 378 M
( Section 3.1.) s
5 352 M
( OCB encryption and decryption employ a nonce N, which must be) s
5 339 M
( selected as a new value for each message encrypted. OCB requires the) s
5 326 M
( associated data A to be specified when one encrypts or decrypts, but) s
5 313 M
( it may be zero-length. The plaintext P and the associated data A can) s
5 300 M
( have any bitlength. The ciphertext C one gets by encrypting P in the) s
5 287 M
( presence of A consists of a ciphertext-core having the same length as) s
5 274 M
( P, plus an authentication tag. One can view the resulting ciphertext) s
5 261 M
( as either the pair \(ciphertext-core, tag\) or their concatenation) s
5 248 M
( \(ciphertext-core || tag\), the difference being purely how one) s
5 235 M
( assembles and parses ciphertexts. This document uses concatenation.) s
5 209 M
( OCB encryption protects the privacy of P and the authenticity of A,) s
5 196 M
( N, and P. It does this using, on average, about a + m + 1.02) s
5 183 M
( blockcipher calls, where a is the blocklength of A and m is the) s
5 170 M
( blocklength of P and the nonce N is implemented as a counter \(if N is) s
5 157 M
( random then OCB uses a + m + 2 blockcipher calls\). If A is fixed) s
5 144 M
( during a session then, after preprocessing, there is effectively no) s
5 131 M
( cost to having A authenticated on subsequent encryptions, and the) s
5 118 M
( mode will average m + 1.02 blockcipher calls. OCB requires a single) s
5 105 M
( key K for the underlying blockcipher, and all blockcipher calls are) s
5 92 M
( keyed by K. OCB is on-line: one need not know the length of A or P to) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 3]) s
_R
S
%%Page: (4) 4
%%BeginPageSetup
_S
18 36 translate
/pagenum 4 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( proceed with encryption, nor need one know the length of A or C to) s
5 690 M
( proceed with decryption. OCB is parallelizable: the bulk of its) s
5 677 M
( blockcipher calls can be performed simultaneously. Computational) s
5 664 M
( work beyond blockcipher calls consists of a small and fixed number of) s
5 651 M
( logical operations per call. OCB enjoys provable security: the mode) s
5 638 M
( of operation is secure assuming that the underlying blockcipher is) s
5 625 M
( secure. As with most modes of operation, security degrades in the) s
5 612 M
( square of the number of blocks of texts divided by two to the) s
5 599 M
( blocklength.) s
5 573 M
( The version of OCB defined in this document is a refinement of two) s
5 560 M
( prior schemes. The original OCB version was published in 2001 [6]) s
5 547 M
( and was listed as an optional component in IEEE 802.11i. A second) s
5 534 M
( version was published in 2004 [5] and is specified in ISO 19772. The) s
5 521 M
( scheme described here is called OCB3 in the 2011 paper describing the) s
5 508 M
( mode [4]; it shall be referred to simply as OCB throughout this) s
5 495 M
( document. See [4] for complete references, timing information, and a) s
5 482 M
( discussion of the differences between the algorithms.) s
5 443 M
(2. Notation and Basic Operations) s
5 417 M
( There are two types of variables used in this specification, strings) s
5 404 M
( and integers. Although most data processed by implementations of OCB) s
5 391 M
( will be byte-oriented, a number of bit-level operations are used in) s
5 378 M
( this specification, and so strings are here considered strings of) s
5 365 M
( bits rather than strings of bytes. String variables are always) s
5 352 M
( written with an initial upper-case letter while integer variables are) s
5 339 M
( written in all lower-case. Following C's convention, a single equals) s
5 326 M
( \("="\) indicates variable assignment and double equals \("=="\) is the) s
5 313 M
( equality relation. Whenever a variable is followed by an underscore) s
5 300 M
( \("_"\), the underscore is intended to denote a subscript, with the) s
5 287 M
( subscripted expression requiring evaluation to resolve the meaning of) s
5 274 M
( the variable. For example, when i == 2, then P_i refers to the) s
5 261 M
( variable P_2.) s
5 235 M
( c^i The integer c raised to the i-th power.) s
5 209 M
( bitlen\(S\) The length of string S in bits \(eg, bitlen\(101\) == 3\).) s
5 183 M
( zeros\(n\) The string made of n zero-bits.) s
5 157 M
( ntz\(n\) The number of trailing zero bits in the base-2) s
5 144 M
( representation of the positive integer n. More formally,) s
5 131 M
( ntz\(n\) is the largest integer x for which 2^x divides n.) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 4]) s
_R
S
%%Page: (5) 5
%%BeginPageSetup
_S
18 36 translate
/pagenum 5 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( S xor T The string that is the bitwise exclusive-or of S and T.) s
5 690 M
( Strings S and T will always have the same length.) s
5 664 M
( S[i] The i-th bit of the string S \(indices begin at 1\).) s
5 638 M
( S[i..j] The substring of S consisting of bits i through j,) s
5 625 M
( inclusive.) s
5 599 M
( S || T String S concatenated with string T \(eg, 000 || 111 ==) s
5 586 M
( 000111\).) s
5 560 M
( str2num\(S\) The base-2 integral interpretation of bitstring S \(eg,) s
5 547 M
( str2num\(1110\) == 14\).) s
5 521 M
( double\(S\) If S[1] == 0 then double\(S\) == \(S[2..128] || 0\);) s
5 508 M
( otherwise double\(S\) == \(S[2..128] || 0\) xor \(zeros\(120\)) s
5 495 M
( || 10000111\).) s
5 456 M
(3. OCB Global Parameters) s
5 430 M
( To be complete, the algorithms in this document require specification) s
5 417 M
( of two global parameters: a blockcipher operating on 128-bit blocks) s
5 404 M
( and the length of authentication tags in use.) s
5 378 M
( Specifying a blockcipher implicitly defines the following symbols.) s
5 352 M
( KEYLEN The blockcipher's key length, in bits.) s
5 326 M
( ENCIPHER\(K,P\) The blockcipher function mapping 128-bit plaintext) s
5 313 M
( block P to its corresponding ciphertext block using) s
5 300 M
( KEYLEN-bit key K.) s
5 274 M
( DECIPHER\(K,C\) The inverse blockcipher function mapping 128-bit) s
5 261 M
( ciphertext block C to its corresponding plaintext) s
5 248 M
( block using KEYLEN-bit key K.) s
5 222 M
( As an example, if 128-bit authentication tags and AES with 192-bit) s
5 209 M
( keys are to be used, then KEYLEN is 192, ENCIPHER refers to the AES-) s
5 196 M
( 192 cipher, DECIPHER refers to the AES-192 inverse cipher, and TAGLEN) s
5 183 M
( is 128 [2].) s
5 157 M
(3.1. Named OCB Parameter Sets and RFC 5116 Constants) s
5 131 M
( The following table gives names to common OCB global parameter sets.) s
5 118 M
( Each of the AES variants is defined in [2].) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 5]) s
_R
S
%%Page: (6) 6
%%BeginPageSetup
_S
18 36 translate
/pagenum 6 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( +----------------------------+-------------+--------+) s
5 690 M
( | Name | Blockcipher | TAGLEN |) s
5 677 M
( +----------------------------+-------------+--------+) s
5 664 M
( | AEAD_AES_128_OCB_TAGLEN128 | AES-128 | 128 |) s
5 651 M
( | AEAD_AES_128_OCB_TAGLEN96 | AES-128 | 96 |) s
5 638 M
( | AEAD_AES_128_OCB_TAGLEN64 | AES-128 | 64 |) s
5 625 M
( | AEAD_AES_192_OCB_TAGLEN128 | AES-192 | 128 |) s
5 612 M
( | AEAD_AES_192_OCB_TAGLEN96 | AES-192 | 96 |) s
5 599 M
( | AEAD_AES_192_OCB_TAGLEN64 | AES-192 | 64 |) s
5 586 M
( | AEAD_AES_256_OCB_TAGLEN128 | AES-256 | 128 |) s
5 573 M
( | AEAD_AES_256_OCB_TAGLEN96 | AES-256 | 96 |) s
5 560 M
( | AEAD_AES_256_OCB_TAGLEN64 | AES-256 | 64 |) s
5 547 M
( +----------------------------+-------------+--------+) s
5 521 M
( RFC 5116 defines an interface for authenticated encryption schemes) s
5 508 M
( [1]. RFC 5116 requires the specification of certain constants for) s
5 495 M
( each named AEAD scheme. For each of the OCB parameter sets listed) s
5 482 M
( above: P_MAX, A_MAX, and C_MAX are all unbounded; N_MIN is 1 byte and) s
5 469 M
( N_MAX is 15 bytes. The parameter-sets indicating the use of AES-128,) s
5 456 M
( AES-192 and AES-256 have K_LEN equal to 16, 24 and 32 bytes,) s
5 443 M
( respectively.) s
5 404 M
(4. OCB Algorithms) s
5 378 M
( OCB is described in this section using pseudocode. Given any) s
5 365 M
( collection of inputs of the required types, following the pseuduocode) s
5 352 M
( description for a function will produce the correct output of the) s
5 339 M
( promised type.) s
5 313 M
(4.1. Associated-Data Processing: HASH) s
5 287 M
( OCB has the ability to authenticate unencrypted associated data at) s
5 274 M
( the same time that it provides for authentication and encrypts a) s
5 261 M
( plaintext. The following hash function is central to providing this) s
5 248 M
( functionality. If an application has no associated data, then the) s
5 235 M
( associated data should be considered to exist and to be the empty) s
5 222 M
( string. HASH, conveniently, always returns zeros\(128\) when the) s
5 209 M
( associated data is the empty string.) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 6]) s
_R
S
%%Page: (7) 7
%%BeginPageSetup
_S
18 36 translate
/pagenum 7 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( Function name:) s
5 690 M
( HASH) s
5 677 M
( Input:) s
5 664 M
( K, string of KEYLEN bits // Key) s
5 651 M
( A, string of any length // Associated data) s
5 638 M
( Output:) s
5 625 M
( Sum, string of 128 bits // Hash result) s
5 599 M
( Sum is defined as follows.) s
5 573 M
( //) s
5 560 M
( // Key-dependent variables) s
5 547 M
( //) s
5 534 M
( L_* = ENCIPHER\(K, zeros\(128\)\)) s
5 521 M
( L_$ = double\(L_*\)) s
5 508 M
( L_0 = double\(L_$\)) s
5 495 M
( L_i = double\(L_{i-1}\) for every integer i > 0) s
5 469 M
( //) s
5 456 M
( // Consider A as a sequence of 128-bit blocks) s
5 443 M
( //) s
5 430 M
( Let m be the largest integer so that 128m <= bitlen\(A\)) s
5 417 M
( Let A_1, A_2, ..., A_m and A_* be strings so that) s
5 404 M
( A == A_1 || A_2 || ... || A_m || A_*, and) s
5 391 M
( bitlen\(A_i\) == 128 for each 1 <= i <= m.) s
5 378 M
( Note: A_* may possibly be an empty string.) s
5 352 M
( //) s
5 339 M
( // Process any whole blocks) s
5 326 M
( //) s
5 313 M
( Sum_0 = zeros\(128\)) s
5 300 M
( Offset_0 = zeros\(128\)) s
5 287 M
( for each 1 <= i <= m) s
5 274 M
( Offset_i = Offset_{i-1} xor L_{ntz\(i\)}) s
5 261 M
( Sum_i = Sum_{i-1} xor ENCIPHER\(K, A_i xor Offset_i\)) s
5 248 M
( end for) s
5 222 M
( //) s
5 209 M
( // Process any final partial block; compute final hash value) s
5 196 M
( //) s
5 183 M
( if bitlen\(A_*\) > 0 then) s
5 170 M
( Offset_* = Offset_m xor L_*) s
5 157 M
( CipherInput = \(A_* || 1 || zeros\(127-bitlen\(P_*\)\)\) xor Offset_*) s
5 144 M
( Sum = Sum_m xor ENCIPHER\(K, CipherInput\)) s
5 131 M
( else) s
5 118 M
( Sum = Sum_m) s
5 105 M
( end if) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 7]) s
_R
S
%%Page: (8) 8
%%BeginPageSetup
_S
18 36 translate
/pagenum 8 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
(4.2. Encryption: OCB-ENCRYPT) s
5 677 M
( This function computes a ciphertext \(which includes a bundled) s
5 664 M
( authentication tag\) when given a plaintext, associated data, nonce) s
5 651 M
( and key.) s
5 625 M
( Function name:) s
5 612 M
( OCB-ENCRYPT) s
5 599 M
( Input:) s
5 586 M
( K, string of KEYLEN bits // Key) s
5 573 M
( N, string of fewer than 128 bits // Nonce) s
5 560 M
( A, string of any length // Associated data) s
5 547 M
( P, string of any length // Plaintext) s
5 534 M
( Output:) s
5 521 M
( C, string of length bitlen\(P\) + TAGLEN bits // Ciphertext) s
5 495 M
( C is defined as follows.) s
5 469 M
( //) s
5 456 M
( // Key-dependent variables) s
5 443 M
( //) s
5 430 M
( L_* = ENCIPHER\(K, zeros\(128\)\)) s
5 417 M
( L_$ = double\(L_*\)) s
5 404 M
( L_0 = double\(L_$\)) s
5 391 M
( L_i = double\(L_{i-1}\) for every integer i > 0) s
5 365 M
( //) s
5 352 M
( // Consider P as a sequence of 128-bit blocks) s
5 339 M
( //) s
5 326 M
( Let m be the largest integer so that 128m <= bitlen\(P\)) s
5 313 M
( Let P_1, P_2, ..., P_m and P_* be strings so that) s
5 300 M
( P == P_1 || P_2 || ... || P_m || P_*, and) s
5 287 M
( bitlen\(P_i\) == 128 for each 1 <= i <= m.) s
5 274 M
( Note: P_* may possibly be an empty string.) s
5 248 M
( //) s
5 235 M
( // Nonce-dependent and per-encryption variables) s
5 222 M
( //) s
5 209 M
( Nonce = zeros\(127-bitlen\(N\)\) || 1 || N) s
5 196 M
( bottom = str2num\(Nonce[123..128]\)) s
5 183 M
( Ktop = ENCIPHER\(K, Nonce[1..122] || zeros\(6\)\)) s
5 170 M
( Stretch = Ktop || \(Ktop[1..64] xor Ktop[9..72]\)) s
5 157 M
( Offset_0 = Stretch[1+bottom..128+bottom]) s
5 144 M
( Checksum_0 = zeros\(128\)) s
5 118 M
( //) s
5 105 M
( // Process any whole blocks) s
5 92 M
( //) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 8]) s
_R
S
%%Page: (9) 9
%%BeginPageSetup
_S
18 36 translate
/pagenum 9 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( for each 1 <= i <= m) s
5 690 M
( Offset_i = Offset_{i-1} xor L_{ntz\(i\)}) s
5 677 M
( C_i = Offset_i xor ENCIPHER\(K, P_i xor Offset_i\)) s
5 664 M
( Checksum_i = Checksum_{i-1} xor P_i) s
5 651 M
( end for) s
5 625 M
( //) s
5 612 M
( // Process any final partial block and compute raw tag) s
5 599 M
( //) s
5 586 M
( if bitlen\(P_*\) > 0 then) s
5 573 M
( Offset_* = Offset_m xor L_*) s
5 560 M
( Pad = ENCIPHER\(K, Offset_*\)) s
5 547 M
( C_* = P_* xor Pad[1..bitlen\(P_*\)]) s
5 534 M
( Checksum_* = Checksum_m xor \(P_* || 1 || zeros\(127-bitlen\(P_*\)\)\)) s
5 521 M
( Tag = ENCIPHER\(K, Checksum_* xor Offset_* xor L_$\) xor HASH\(K,A\)) s
5 508 M
( else) s
5 495 M
( C_* = <empty string>) s
5 482 M
( Tag = ENCIPHER\(K, Checksum_m xor Offset_m xor L_$\) xor HASH\(K,A\)) s
5 469 M
( end if) s
5 443 M
( //) s
5 430 M
( // Assemble ciphertext) s
5 417 M
( //) s
5 404 M
( C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]) s
5 378 M
(4.3. Decryption: OCB-DECRYPT) s
5 352 M
( This function computes a plaintext when given a ciphertext,) s
5 339 M
( associated data, nonce and key. An authentication tag is embedded in) s
5 326 M
( the ciphertext. If the tag is not correct for the ciphertext,) s
5 313 M
( associated data, nonce and key, then an INVALID signal is produced.) s
5 287 M
( Function name:) s
5 274 M
( OCB-DECRYPT) s
5 261 M
( Input:) s
5 248 M
( K, string of KEYLEN bits // Key) s
5 235 M
( N, string of fewer than 128 bits // Nonce) s
5 222 M
( A, string of any length // Associated data) s
5 209 M
( C, string of at least TAGLEN bits // Ciphertext) s
5 196 M
( Output:) s
5 183 M
( P, string of length bitlen\(C\) - TAGLEN bits, // Plaintext) s
5 170 M
( or INVALID indicating authentication failure) s
5 144 M
( P is defined as follows.) s
5 118 M
( //) s
5 105 M
( // Key-dependent variables) s
5 92 M
( //) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 9]) s
_R
S
%%Page: (10) 10
%%BeginPageSetup
_S
18 36 translate
/pagenum 10 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( L_* = ENCIPHER\(K, zeros\(128\)\)) s
5 690 M
( L_$ = double\(L_*\)) s
5 677 M
( L_0 = double\(L_$\)) s
5 664 M
( L_i = double\(L_{i-1}\) for every integer i > 0) s
5 638 M
( //) s
5 625 M
( // Consider C as a sequence of 128-bit blocks) s
5 612 M
( //) s
5 599 M
( Let m be the largest integer so that 128m <= bitlen\(C\) - TAGLEN) s
5 586 M
( Let C_1, C_2, ..., C_m, C_* and T be strings so that) s
5 573 M
( C == C_1 || C_2 || ... || C_m || C_* || T,) s
5 560 M
( bitlen\(C_i\) == 128 for each 1 <= i <= m, and) s
5 547 M
( bitlen\(T\) == TAGLEN.) s
5 534 M
( Note: C_* may possibly be an empty string.) s
5 508 M
( //) s
5 495 M
( // Nonce-dependent and per-decryption variables) s
5 482 M
( //) s
5 469 M
( Nonce = zeros\(127-bitlen\(N\)\) || 1 || N) s
5 456 M
( bottom = str2num\(Nonce[123..128]\)) s
5 443 M
( Ktop = ENCIPHER\(K, Nonce[1..122] || zeros\(6\)\)) s
5 430 M
( Stretch = Ktop || \(Ktop[1..64] xor Ktop[9..72]\)) s
5 417 M
( Offset_0 = Stretch[1+bottom..128+bottom]) s
5 404 M
( Checksum_0 = zeros\(128\)) s
5 378 M
( //) s
5 365 M
( // Process any whole blocks) s
5 352 M
( //) s
5 339 M
( for each 1 <= i <= m) s
5 326 M
( Offset_i = Offset_{i-1} xor L_{ntz\(i\)}) s
5 313 M
( P_i = Offset_i xor DECIPHER\(K, C_i xor Offset_i\)) s
5 300 M
( Checksum_i = Checksum_{i-1} xor P_i) s
5 287 M
( end for) s
5 261 M
( //) s
5 248 M
( // Process any final partial block and compute raw tag) s
5 235 M
( //) s
5 222 M
( if bitlen\(C_*\) > 0 then) s
5 209 M
( Offset_* = Offset_m xor L_*) s
5 196 M
( Pad = ENCIPHER\(K, Offset_*\)) s
5 183 M
( P_* = C_* xor Pad[1..bitlen\(C_*\)]) s
5 170 M
( Checksum_* = Checksum_m xor \(P_* || 1 || zeros\(127-bitlen\(P_*\)\)\)) s
5 157 M
( Tag = ENCIPHER\(K, Checksum_* xor Offset_* xor L_$\) xor HASH\(K,A\)) s
5 144 M
( else) s
5 131 M
( P_* = <empty string>) s
5 118 M
( Tag = ENCIPHER\(K, Checksum_m xor Offset_m xor L_$\) xor HASH\(K,A\)) s
5 105 M
( end if) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 10]) s
_R
S
%%Page: (11) 11
%%BeginPageSetup
_S
18 36 translate
/pagenum 11 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( //) s
5 690 M
( // Check for validity and assemble plaintext) s
5 677 M
( //) s
5 664 M
( if \(Tag[1..TAGLEN] == T\) then) s
5 651 M
( P = P_1 || P_2 || ... || P_m || P_*) s
5 638 M
( else) s
5 625 M
( P = INVALID) s
5 612 M
( end if) s
5 573 M
(5. Security Considerations) s
5 547 M
( OCB achieves two security properties, privacy and authenticity.) s
5 534 M
( Privacy is defined via "indistinguishability from random bits",) s
5 521 M
( meaning that an adversary is unable to distinguish OCB-outputs from) s
5 508 M
( an equal number of random bits. Authenticity is defined via) s
5 495 M
( "authenticity of ciphertexts", meaning that an adversary is unable to) s
5 482 M
( produce any valid \(N,C,T\) triple that it has not already acquired.) s
5 469 M
( The security guarantees depend on the underlying blockcipher being) s
5 456 M
( secure in the sense of a strong pseudorandom permutation. Thus if) s
5 443 M
( OCB is used with a blockcipher that is not secure as a strong) s
5 430 M
( pseudorandom permutation, the security guarantees vanish. The need) s
5 417 M
( for the strong pseudorandom permutation property means that OCB) s
5 404 M
( should be used with a conservatively designed, well-trusted) s
5 391 M
( blockcipher, such as AES.) s
5 365 M
( Both the privacy and the authenticity properties of OCB degrade as) s
5 352 M
( per s^2 / 2^128, where s is the total number of blocks that the) s
5 339 M
( adversary acquires. The consequence of this formula is that the) s
5 326 M
( proven security vanishes when s becomes as large as 2^{128/2}. Thus) s
5 313 M
( the user should never use a key to generate an amount of ciphertext) s
5 300 M
( that is near to, or exceeds, 2^64 blocks. In order to ensure that) s
5 287 M
( s^2 / 2^128 remains small, a given key should be used to encrypt at) s
5 274 M
( most 2^48 blocks \(2^55 bits or 4 petabytes\), including the associated) s
5 261 M
( data.) s
5 235 M
( It is crucial that, as one encrypts, one does not repeat a nonce.) s
5 222 M
( Repetition of a nonce will compromise both privacy and authenticity:) s
5 209 M
( partial information about past plaintexts will be revealed and) s
5 196 M
( subsequent forgeries will be possible. As a consequence, OCB must) s
5 183 M
( not be used in environemnts where the encrypting party cannot) s
5 170 M
( guarantee nonce uniqueness. Note that there are AEAD schemes,) s
5 157 M
( particularly SIV [3], appropriate for environements where nonces are) s
5 144 M
( unavailable or unreliable. OCB is not such a scheme.) s
5 118 M
( Nonces need not be secret, and a counter may be used for them. If) s
5 105 M
( two parties send OCB-encrypted plaintexts to one another using the) s
5 92 M
( same key, then the space of nonces used by the two parties should be) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 11]) s
_R
S
%%Page: (12) 12
%%BeginPageSetup
_S
18 36 translate
/pagenum 12 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( partitioned so that no nonce that could be used by one party to) s
5 690 M
( encrypt could be used by the other to encrypt \(eg, odd and even) s
5 677 M
( counters\).) s
5 651 M
( When a ciphertext decrypts as INVALID it is the implementor's) s
5 638 M
( responsibility to make sure that no information beyond this fact is) s
5 625 M
( made adversarially available.) s
5 599 M
( OCB encryption and decryption produce an internal 128-bit) s
5 586 M
( authentication tag. The parameter TAGLEN determines how many prefix) s
5 573 M
( bits of this internal tag are used for authentication. The length) s
5 560 M
( TAGLEN of the prefix used impacts the adversary's ability to forge:) s
5 547 M
( it will always be trivial for the adversary to forge with probability) s
5 534 M
( 2^{-TAGLEN}. It is up to the application designer to choose an) s
5 521 M
( appropriate value for TAGLEN. Longer tags cost no more) s
5 508 M
( computationally than do shorter ones.) s
5 482 M
( Timing attacks are not a part of the formal security model and an) s
5 469 M
( implementation should take care to mitigate them. To render timing) s
5 456 M
( attacks impotent, the amount of time to encrypt or decrypt a string) s
5 443 M
( should be independent of the key and the contents of the string. The) s
5 430 M
( only explicitly conditional OCB operation that depends on private) s
5 417 M
( data is double\(\), which means that using constant-time blockcipher) s
5 404 M
( and double\(\) implementations eliminates most \(if not all\) sources of) s
5 391 M
( timing attacks on OCB. Power-usage attacks are likewise out of scope) s
5 378 M
( of the formal model, and should be considered for environments where) s
5 365 M
( they are threatening.) s
5 339 M
( The OCB encryption scheme reveals in the ciphertext the length of the) s
5 326 M
( plaintext. Sometimes the length of the plaintext is a valuable piece) s
5 313 M
( of information that should be hidden. For environments where) s
5 300 M
( "traffic analysis" is a concern, techniques beyond OCB encryption) s
5 287 M
( \(typically involving padding\) would be necessary.) s
5 261 M
( Defining the ciphertext that results from OCB-ENCRYPT to be the pair) s
5 248 M
( \(C_1 || C_2 || ... || C_m || C_*, Tag[1..TAGLEN]\) instead of the) s
5 235 M
( concatenation C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]) s
5 222 M
( introduces no security concerns. Because TAGLEN is fixed, both) s
5 209 M
( versions allows ciphertexts to be parsed unambiguously.) s
5 170 M
(6. IANA Considerations) s
5 144 M
( The Internet Assigned Numbers Authority \(IANA\) has defined a registry) s
5 131 M
( for Authenticated Encryption with Associated Data parameters. The) s
5 118 M
( IANA has added the following entries to the AEAD Registry. Each name) s
5 105 M
( refers to a set of parameters defined in Section 3.1.) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 12]) s
_R
S
%%Page: (13) 13
%%BeginPageSetup
_S
18 36 translate
/pagenum 13 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( +----------------------------+-------------+--------------------+) s
5 690 M
( | Name | Reference | Numeric Identifier |) s
5 677 M
( +----------------------------+-------------+--------------------+) s
5 664 M
( | AEAD_AES_128_OCB_TAGLEN128 | Section 3.1 | XX |) s
5 651 M
( | AEAD_AES_128_OCB_TAGLEN96 | Section 3.1 | XX |) s
5 638 M
( | AEAD_AES_128_OCB_TAGLEN64 | Section 3.1 | XX |) s
5 625 M
( | AEAD_AES_192_OCB_TAGLEN128 | Section 3.1 | XX |) s
5 612 M
( | AEAD_AES_192_OCB_TAGLEN96 | Section 3.1 | XX |) s
5 599 M
( | AEAD_AES_192_OCB_TAGLEN64 | Section 3.1 | XX |) s
5 586 M
( | AEAD_AES_256_OCB_TAGLEN128 | Section 3.1 | XX |) s
5 573 M
( | AEAD_AES_256_OCB_TAGLEN96 | Section 3.1 | XX |) s
5 560 M
( | AEAD_AES_256_OCB_TAGLEN64 | Section 3.1 | XX |) s
5 547 M
( +----------------------------+-------------+--------------------+) s
5 508 M
(7. Acknowledgements) s
5 482 M
( The design of the original OCB scheme [6] was done while Phil Rogaway) s
5 469 M
( was at Chiang Mai University, Thailand. Follow-up work [5] was done) s
5 456 M
( with support of NSF grant 0208842 and a gift from Cisco. The final) s
5 443 M
( work by Krovetz and Rogaway that has resulted in this spec [4] was) s
5 430 M
( supported by NSF grant 0904380.) s
5 391 M
(8. References) s
5 365 M
(8.1. Normative References) s
5 339 M
( [1] McGrew, D., "An interface and algorithms for authenticated) s
5 326 M
( encryption", RFC 5116, January 2008.) s
5 300 M
( [2] National Institute of Standards and Technology, "Advanced) s
5 287 M
( Encryption Standard \(AES\)", FIPS PUB 197, November 2001.) s
5 261 M
(8.2. Informative References) s
5 235 M
( [3] Harkins, D., "Synthetic Initialization Vector \(SIV\)) s
5 222 M
( authenticated ancryption using the Advanced Encryption Standard) s
5 209 M
( \(AES\)", RFC 5297, October 2008.) s
5 183 M
( [4] Krovetz, T. and P. Rogaway, "The software performance of) s
5 170 M
( authenticated-encryption modes", in Fast Software Encryption -) s
5 157 M
( FSE 2011, Springer, 2011.) s
5 131 M
( [5] Rogaway, P., "Efficient instantiations of tweakable blockciphers) s
5 118 M
( and refinements to modes OCB and PMAC", in Advances in) s
5 105 M
( Cryptology - ASIACRYPT 2004, Springer, 2004.) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 13]) s
_R
S
%%Page: (14) 14
%%BeginPageSetup
_S
18 36 translate
/pagenum 14 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( [6] Rogaway, P., Bellare, M., Black, J., and T. Krovetz, "OCB: A) s
5 690 M
( block-cipher mode of operation for efficient authenticated) s
5 677 M
( encryption", in ACM Conference on Computer and Communications) s
5 664 M
( Security 2001 - CCS 2001, ACM Press, 2001.) s
5 625 M
(Appendix A. Sample Results) s
5 599 M
( This section gives sample output values for various inputs when using) s
5 586 M
( the AEAD_AES_128_OCB_TAGLEN128 parameters defined in Section 3.1.) s
5 573 M
( All strings are represented in hexadecimal \(eg, 0F represents the) s
5 560 M
( bitstring 00001111\).) s
5 534 M
( Each of the following \(A,P,C\) triples show the ciphertext C that) s
5 521 M
( results from OCB-ENCRYPT\(K,N,A,P\) when K and N are fixed with the) s
5 508 M
( values) s
5 482 M
( K : 000102030405060708090A0B0C0D0E0F) s
5 469 M
( N : 000102030405060708090A0B) s
5 443 M
( Empty entries indicate empty strings.) s
5 417 M
( A:) s
5 404 M
( P:) s
5 391 M
( C: 197B9C3C441D3C83EAFB2BEF633B9182) s
5 365 M
( A: 0001020304050607) s
5 352 M
( P: 0001020304050607) s
5 339 M
( C: 92B657130A74B85A16DC76A46D47E1EAD537209E8A96D14E) s
5 313 M
( A: 0001020304050607) s
5 300 M
( P:) s
5 287 M
( C: 98B91552C8C009185044E30A6EB2FE21) s
5 261 M
( A:) s
5 248 M
( P: 0001020304050607) s
5 235 M
( C: 92B657130A74B85A971EFFCAE19AD4716F88E87B871FBEED) s
5 209 M
( A: 000102030405060708090A0B0C0D0E0F) s
5 196 M
( P: 000102030405060708090A0B0C0D0E0F) s
5 183 M
( C: BEA5E8798DBE7110031C144DA0B26122776C9924D6723A1F) s
5 170 M
( C4524532AC3E5BEB) s
5 144 M
( A: 000102030405060708090A0B0C0D0E0F) s
5 131 M
( P:) s
5 118 M
( C: 7DDB8E6CEA6814866212509619B19CC6) s
5 92 M
( A:) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 14]) s
_R
S
%%Page: (15) 15
%%BeginPageSetup
_S
18 36 translate
/pagenum 15 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( P: 000102030405060708090A0B0C0D0E0F) s
5 690 M
( C: BEA5E8798DBE7110031C144DA0B2612213CC8B747807121A) s
5 677 M
( 4CBB3E4BD6B456AF) s
5 651 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 638 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 625 M
( C: BEA5E8798DBE7110031C144DA0B26122FCFCEE7A2A8D4D48) s
5 612 M
( 5FA94FC3F38820F1DC3F3D1FD4E55E1C) s
5 586 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 573 M
( P:) s
5 560 M
( C: 282026DA3068BC9FA118681D559F10F6) s
5 534 M
( A:) s
5 521 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 508 M
( C: BEA5E8798DBE7110031C144DA0B26122FCFCEE7A2A8D4D48) s
5 495 M
( 6EF2F52587FDA0ED97DC7EEDE241DF68) s
5 469 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 456 M
( 18191A1B1C1D1E1F) s
5 443 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 430 M
( 18191A1B1C1D1E1F) s
5 417 M
( C: BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A6) s
5 404 M
( 57149D53773463CBB2A040DD3BD5164372D76D7BB6824240) s
5 378 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 365 M
( 18191A1B1C1D1E1F) s
5 352 M
( P:) s
5 339 M
( C: E1E072633BADE51A60E85951D9C42A1B) s
5 313 M
( A:) s
5 300 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 287 M
( 18191A1B1C1D1E1F) s
5 274 M
( C: BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A6) s
5 261 M
( 57149D53773463CB4A3BAE824465CFDAF8C41FC50C7DF9D9) s
5 235 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 222 M
( 18191A1B1C1D1E1F2021222324252627) s
5 209 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 196 M
( 18191A1B1C1D1E1F2021222324252627) s
5 183 M
( C: BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A6) s
5 170 M
( 57149D53773463CB68C65778B058A635659C623211DEEA0D) s
5 157 M
( E30D2C381879F4C8) s
5 131 M
( A: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 118 M
( 18191A1B1C1D1E1F2021222324252627) s
5 105 M
( P:) s
5 92 M
( C: 7AEB7A69A1687DD082CA27B0D9A37096) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 15]) s
_R
S
%%Page: (16) 16
%%BeginPageSetup
_S
18 36 translate
/pagenum 16 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( A:) s
5 690 M
( P: 000102030405060708090A0B0C0D0E0F1011121314151617) s
5 677 M
( 18191A1B1C1D1E1F2021222324252627) s
5 664 M
( C: BEA5E8798DBE7110031C144DA0B26122CEAAB9B05DF771A6) s
5 651 M
( 57149D53773463CB68C65778B058A635060C8467F4ABAB5E) s
5 638 M
( 8B3C2067A2E115DC) s
5 612 M
( Next are several internal values generated during the OCB-ENCRYPT) s
5 599 M
( computation of the last test vector listed above.) s
5 573 M
( bottom : 11) s
5 560 M
( Checksum_1: 000102030405060708090A0B0C0D0E0F) s
5 547 M
( Checksum_2: 10101010101010101010101010101010) s
5 534 M
( Checksum_*: 30313233343536379010101010101010) s
5 521 M
( Ktop : 00000001000102030405060708090A00) s
5 508 M
( L_* : C6A13B37878F5B826F4F8162A1C8D879) s
5 495 M
( L_$ : 8D42766F0F1EB704DE9F02C54391B075) s
5 482 M
( L_0 : 1A84ECDE1E3D6E09BD3E058A8723606D) s
5 469 M
( L_1 : 3509D9BC3C7ADC137A7C0B150E46C0DA) s
5 456 M
( Offset_0 : 088A4C602C15FCCF8ECB3677E5E63517) s
5 443 M
( Offset_1 : 120EA0BE322892C633F533FD62C5557A) s
5 430 M
( Offset_2 : 270779020E524ED5498938E86C8395A0) s
5 417 M
( Offset_* : E1A6423589DD155726C6B98ACD4B4DD9) s
5 404 M
( Stretch : 43E111498C0582BF99F1D966CEFCBCC6A2F058C589873D26) s
5 378 M
( The following pseudocode algorithm tests a wider variety of inputs.) s
5 365 M
( Results are given for each of AEAD_AES_128_OCB_TAGLEN128,) s
5 352 M
( AEAD_AES_192_OCB_TAGLEN128 and AEAD_AES_256_OCB_TAGLEN128. Let <i>) s
5 339 M
( be the 8-bit base-2 representation of i \(eg, <3> == 00000011 and) s
5 326 M
( <255> == 11111111\).) s
5 300 M
( K = zeros\(KEYLEN\) // Keylength of AES in use) s
5 287 M
( for i = 0 to 127 do) s
5 274 M
( S = zeros\(8i\) // i bytes of zeros) s
5 261 M
( N = zeros\(88\) || <i> // 11 byte zero followed by 1 byte i) s
5 248 M
( C = C || OCB-ENCRYPT\(K,N,S,S\)) s
5 235 M
( C = C || OCB-ENCRYPT\(K,N,<empty string>,S\)) s
5 222 M
( C = C || OCB-ENCRYPT\(K,N,S,<empty string>\)) s
5 209 M
( end for) s
5 196 M
( N = zeros\(96\)) s
5 183 M
( Output : OCB-ENCRYPT\(K,N,C,<empty string>\)) s
5 157 M
( Iteration i of the loop adds 2i + 48 bytes to C, resulting in an) s
5 144 M
( ultimate length for C of 22,400 bytes. The final OCB-ENCRYPT has an) s
5 131 M
( empty plaintext component, so serves only to authenticate C. The) s
5 118 M
( output should be:) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 16]) s
_R
S
%%Page: (17) 17
%%BeginPageSetup
_S
18 36 translate
/pagenum 17 def
/fname () def
/fdir (.) def
/ftail (.) def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 742 M
(Internet-Draft OCB Authenticated-Encryption July 2011) s
5 703 M
( AEAD_AES_128_OCB_TAGLEN128 Output: B2B41CBF9B05037DA7F16C24A35C1C94) s
5 690 M
( AEAD_AES_192_OCB_TAGLEN128 Output: 1529F894659D2B51B776740211E7D083) s
5 677 M
( AEAD_AES_256_OCB_TAGLEN128 Output: 42B83106E473C0EEE086C8D631FD4C7B) s
5 638 M
(Authors' Addresses) s
5 612 M
( Ted Krovetz) s
5 599 M
( Computer Science Department) s
5 586 M
( California State University) s
5 573 M
( 6000 J Street) s
5 560 M
( Sacramento, CA 95819-6021) s
5 547 M
( USA) s
5 521 M
( Email: ted@krovetz.net) s
5 482 M
( Phillip Rogaway) s
5 469 M
( Computer Science Department) s
5 456 M
( University of California) s
5 443 M
( One Shields Avenue) s
5 430 M
( Davis, CA 95616-8562) s
5 417 M
( USA) s
5 391 M
( Email: rogaway@cs.ucdavis.edu) s
5 40 M
(Krovetz & Rogaway Expires January 16, 2012 [Page 17]) s
_R
S
%%Trailer
%%Pages: 17
%%DocumentNeededResources: font Courier-Bold Courier
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-21 10:30:25 |