Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCB3: restrict short nonces #592

Closed
tarcieri opened this issue Mar 27, 2024 · 0 comments · Fixed by #593
Closed

OCB3: restrict short nonces #592

tarcieri opened this issue Mar 27, 2024 · 0 comments · Fixed by #593

Comments

@tarcieri
Copy link
Member

This paper presents an attack on OCB3 with short nonces:

https://eprint.iacr.org/2023/326.pdf

This note reports a small flaw in the security proof of OCB3 that
may cause a loss of security in practice, even if OCB3 is correctly implemented in a trustworthy
and nonce-respecting module. The flaw is present when OCB3 is used with short nonces. It has
security implications that are worse than nonce-repetition as confidentiality and authenticity are
lost until the key is changed. The flaw is due to an implicit condition in the security proof and to
the way OCB3 processes nonce.

It makes the following recommendation:

In the case of OCB3, it is easy to fix the algorithm’s specification in order to avoid the
weakness and abide to the full assumptions of the security proof. If the description is unchanged,
the requirement N ≥ 6 must become an absolute requirement.

We should update the bounds on the nonce size accordingly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ocb3: restrict minimum NonceSize to U6 RustCrypto/AEADs
1 participant
@tarcieri