Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ocb3: restrict minimum NonceSize to U6 #593

Merged
merged 1 commit into from
Mar 27, 2024
Merged

ocb3: restrict minimum NonceSize to U6 #593

merged 1 commit into from
Mar 27, 2024

Conversation

tarcieri
Copy link
Member

@tarcieri tarcieri commented Mar 27, 2024
edited
Loading

Based on the recommendations of the following paper, which describes an attack against OCB3 mode:

https://eprint.iacr.org/2023/326.pdf

In the case of OCB3, it is easy to fix the algorithm’s specification
in order to avoid the weakness and abide to the full assumptions of
the security proof. If the description is unchanged, the requirement
N ≥ 6 must become an absolute requirement.

Furthermore, this restricts the minimum tag size to 1-byte, up from the former 0-bytes. This is a questionable choice of minimum but reflects the wording in the RFC:

The TAGLEN parameter specifies the length of authentication tag used
by OCB and may be any value up to 128

Closes #592

@tarcieri
ocb3: restrict minimum NonceSize to U6
362e3a4 
Based on the recommendations of the following paper, which describes an
attack against OCB3 mode:

https://eprint.iacr.org/2023/326.pdf

> In the case of OCB3, it is easy to fix the algorithm’s specification
> in order to avoid the weakness and abide to the full assumptions of
> the security proof. If the description is unchanged, the requirement
> N ≥ 6 must become an absolute requirement.

Furthermore, this restricts the minimum tag size to 1-byte, up from the
former 0-bytes. This is a questionable choice of minimum but reflects
the wording in the RFC:

> The TAGLEN parameter specifies the length of authentication tag used
> by OCB and may be any value up to 128
@tarcieri tarcieri merged commit d2b664b into master Mar 27, 2024
12 checks passed
@tarcieri tarcieri deleted the ocb3/restrict-nonce-sizes branch March 27, 2024 13:41
newpavlov
newpavlov reviewed Mar 27, 2024
View reviewed changes
ocb3/src/lib.rs
TagSize: ArrayLength<u8> + IsLessOrEqual<U16>,
NonceSize: ArrayLength<u8> + IsLessOrEqual<U15>,
TagSize: ArrayLength<u8> + IsGreater<U0> + IsLessOrEqual<U16>,
NonceSize: ArrayLength<u8> + IsGreaterOrEqual<U6> + IsLessOrEqual<U15>,
Copy link
Member

@newpavlov newpavlov Mar 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you also need to add bounds like GrEq<NonceSize, U6>: NonZero,, otherwise it will have no effect. Same with IslessOrEqual. IIRC the current bounds only state that you can compare against the number and nothing about comparison result.

Plus it's worth to add compilation failure tests for unsupported sizes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's an example case where that bound is required?

Copy link
Member

@newpavlov newpavlov Mar 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC with the current bound you still can use U5 for NonceSize, same for U16.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be worth to add sealed TagSizes/NonceSizes traits to simplify public bounds.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can prepare a quick PR to amend this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had those before although removed them in #590, though the requirements have gotten more complex since then. Still, it's a bounded range, and if we can express it properly with typenum it will be easier to eventually move to const generics.

@tarcieri tarcieri mentioned this pull request Mar 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@newpavlov newpavlov newpavlov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OCB3: restrict short nonces
2 participants
@tarcieri @newpavlov