Internet Engineering Task Force T. Krovetz Internet-Draft Sacramento State Updates: 7523 (if approved) May 11, 2018 Intended status: Informational Expires: November 12, 2018 OCB For Block Ciphers Without 128-Bit Blocks draft-krovetz-ocb-wideblock-00 Abstract The OCB authenticated-encryption algorithm is specified in RFC 7523, but only for blockciphers with 128-bit blocks such as AES. This document extends RFC 7523 by specifying how OCB is used with blockciphers of any blocklength. When the blocklength is 128 bits, this specification and that in RFC 7523 are identical. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 12, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Krovetz Expires November 12, 2018 [Page 1]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Notation and Basic Operations . . . . . . . . . . . . . . . . 3 3. OCB Global Parameters . . . . . . . . . . . . . . . . . . . . 4 3.1. Constants Derived From BLOCKLEN . . . . . . . . . . . . . 5 4. OCB Algorithms . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Associated-Data Processing: HASH . . . . . . . . . . . . 5 4.2. Encryption: OCB-ENCRYPT . . . . . . . . . . . . . . . . . 8 4.3. Decryption: OCB-DECRYPT . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5.1. Nonce Requirements . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 14 Appendix A. Sample Results . . . . . . . . . . . . . . . . . . . 14 A.1. Example 1: 64-bit Blockcipher, 0-byte Input . . . . . . . 15 A.2. Example 2: 64-bit Blockcipher, 4-byte Input . . . . . . . 15 A.3. Example 3: 64-bit Blockcipher, 8-byte Input . . . . . . . 16 A.4. Example 4: 64-bit Blockcipher, 20-byte Input . . . . . . 17 A.5. Example 5: 256-bit Blockcipher, 80-byte Input . . . . . . 19 A.6. Example 6: Extended Tests . . . . . . . . . . . . . . . . 21 Appendix B. Generating RESIDUE, SHIFT, MASKLEN, TAGREP Constants 22 B.1. Sage Script For Generating MASKLEN and SHIFT . . . . . . 23 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 24 1. Introduction OCB is a shared-key, blockcipher-based authentication scheme specified in [RFC7523]. It was designed with the AES blockcipher in mind and thus envisioned only being used with 128-bit blockciphers. The resulting RFC 7523 does not allow blockciphers with larger or smaller blocklengths. This document respecifies OCB in a more general manner, eliminating the expectation that a 128-bit blockcipher is used. This update is consistent with RFC 7523 and does not contradict it in any way. For applications using 128-bit blockciphers, RFC 7523 should be preferred because it is simpler, self-contained, and has more applicable test vectors. Changing the blocklength used in OCB is not a simple matter. There are non-trivially defined constants used in OCB that must be recalculated for each different blocklength. What follows is largely Krovetz Expires November 12, 2018 [Page 2]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 a copy of the algorithms from RFC 7523, made more general by using blocklength-dependent symbolic constants. The security of OCB continues to follow a birthday bound. Both the confidentiality and the authenticity properties of OCB degrade as per s^2 / 2^b, where s is the total number of blocks that the adversary acquires and b is the number of bits per blockcipher block. Note that this means security degrades rapidly when using a blockcipher with a small to moderate blocklength. 2. Notation and Basic Operations There are two types of variables used in this specification, strings and integers. Although strings processed by most implementations of OCB will be strings of bytes, bit-level operations are used throughout this specification document for defining OCB. String variables are always written with an initial upper-case letter while integer variables are written in all lower-case. Following C's convention, a single equals ("=") indicates variable assignment and double equals ("==") is the equality relation. Whenever a variable is followed by an underscore ("_"), the underscore is intended to denote a subscript, with the subscripted expression requiring evaluation to resolve the meaning of the variable. For example, when i == 2, then P_i refers to the variable P_2. c^i The integer c raised to the i-th power. bitlen(S) The length of string S in bits (eg, bitlen(001) == 3). zeros(n) The string made of n zero-bits. ntz(n) The number of trailing zero bits in the base-2 representation of the positive integer n. More formally, ntz(n) is the largest integer x for which 2^x divides n. S xor T The string that is the bitwise exclusive-or of S and T. Strings S and T will always have the same length. S[i] The i-th bit of the string S (indices begin at 1, so if S is 011 then S[1] == 0, S[2] == 1, S[3] == 1). S[i..j] The substring of S consisting of bits i through j, inclusive. S || T String S concatenated with string T (eg, 000 || 111 == 000111). Krovetz Expires November 12, 2018 [Page 3]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 str2num(S) The base-2 interpretation of bitstring S (eg, str2num(1110) == 14). num2str(i,n) The n-bit string whose base-2 interpretation is i (eg, num2str(14,4) == 1110 and num2str(1,2) == 01). double(S) If S[1] == 0 then double(S) == (S[2..bitlen(S)] || 0); otherwise double(S) == (S[2..bitlen(S)] || 0) xor num2str(RESIDUE,bitlen(S)) where RESIDUE is defined in Section 3.1 or Appendix B. 3. OCB Global Parameters To be complete, the algorithms in this document require specification of two global parameters: a blockcipher and the length of authentication tags in use. Specifying a blockcipher implicitly defines the following symbols. BLOCKLEN The blockcipher's blocklength, in bits. KEYLEN The blockcipher's key length, in bits. ENCIPHER(K,P) The blockcipher function mapping BLOCKLEN-bit plaintext block P to its corresponding ciphertext block using KEYLEN-bit key K. DECIPHER(K,C) The inverse blockcipher function mapping BLOCKLEN-bit ciphertext block C to its corresponding plaintext block using KEYLEN-bit key K. The TAGLEN parameter specifies the length of authentication tag used by OCB and may be any positive value up to, and including, the smaller of BLOCKLEN or 256. As an example, if 128-bit authentication tags and AES with 192-bit keys are to be used, then BLOCKLEN is 128, KEYLEN is 192, ENCIPHER refers to the AES-192 cipher, DECIPHER refers to the AES-192 inverse cipher, and TAGLEN is 128. Greater values for TAGLEN provide greater assurances of authenticity, but ciphertexts produced by OCB are longer than their corresponding plaintext by TAGLEN bits. See Section 5 for details about TAGLEN and security. Krovetz Expires November 12, 2018 [Page 4]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 3.1. Constants Derived From BLOCKLEN Each value of BLOCKLEN gives rise to constants that need careful choosing to ensure OCB security and efficiency. The value RESIDUE is used in the definition of double given in Section 2, and the values SHIFT, MASKLEN, and TAGREP are used in the OCB-ENCRYPT and OCB- DECRYPT functions given in Section 4. The following table lists these constants for a collection of blockcipher blocklengths. If a blocklength is needed that is not in the table, Appendix B gives the criteria and algorithm used to determine the constants given here. The same criteria and algorithm should be used to generate other constants for other blocklengths. Note that there are attacks on OCB with success proportional to a birthday bound related to BLOCKLEN. This means that using small values of BLOCKLEN may lead quickly to poor security. See Section 5 for more information on the security bounds of OCB. +----------+---------+-------+---------+--------+ | BLOCKLEN | RESIDUE | SHIFT | MASKLEN | TAGREP | +----------+---------+-------+---------+--------+ | 32 | 141 | 17 | 4 | 5 | | 64 | 27 | 25 | 5 | 6 | | 96 | 1601 | 33 | 6 | 7 | | 128 | 135 | 8 | 6 | 7 | | 192 | 135 | 40 | 7 | 8 | | 256 | 1061 | 1 | 8 | 8 | | 384 | 4109 | 80 | 8 | 8 | | 512 | 293 | 176 | 8 | 8 | | 768 | 655377 | 160 | 9 | 8 | | 1024 | 524355 | 352 | 9 | 8 | | 1600 | 18435 | 192 | 10 | 8 | +----------+---------+-------+---------+--------+ 4. OCB Algorithms OCB is described in this section using pseudocode. Given any collection of inputs of the required types, following the pseudocode description for a function will produce the correct output of the promised type. 4.1. Associated-Data Processing: HASH OCB has the ability to authenticate unencrypted associated data at the same time that it provides for authentication and encrypts a plaintext. The following hash function is central to providing this functionality. If an application has no associated data, then the Krovetz Expires November 12, 2018 [Page 5]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 associated data should be considered to exist and to be the empty string. HASH, conveniently, always returns zeros(BLOCKLEN) when the associated data is the empty string. Krovetz Expires November 12, 2018 [Page 6]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 Function name: HASH Input: K, string of KEYLEN bits // Key A, string of any length // Associated data Output: Sum, string of BLOCKLEN bits // Hash result Sum is defined as follows. // // Key-dependent variables // L_* = ENCIPHER(K, zeros(BLOCKLEN)) L_$ = double(L_*) L_0 = double(L_$) L_i = double(L_{i-1}) for every integer i > 0 // // Consider A as a sequence of BLOCKLEN-bit blocks // Let m be the largest integer so that m * BLOCKLEN <= bitlen(A) Let A_1, A_2, ..., A_m and A_* be strings so that A == A_1 || A_2 || ... || A_m || A_*, and bitlen(A_i) == BLOCKLEN for each 1 <= i <= m. Note: A_* may possibly be the empty string. // // Process any whole blocks // Sum_0 = zeros(BLOCKLEN) Offset_0 = zeros(BLOCKLEN) for each 1 <= i <= m Offset_i = Offset_{i-1} xor L_{ntz(i)} Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) end for // // Process any final partial block; compute final hash value // if bitlen(A_*) > 0 then Offset_* = Offset_m xor L_* Zerofill = zeros(BLOCKLEN-(1+bitlen(A_*))) CipherInput = (A_* || 1 || Zerofill) xor Offset_* Sum = Sum_m xor ENCIPHER(K, CipherInput) else Sum = Sum_m end if Krovetz Expires November 12, 2018 [Page 7]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 4.2. Encryption: OCB-ENCRYPT This function computes a ciphertext (which includes a bundled authentication tag) when given a plaintext, associated data, nonce and key. For each invocation of OCB-ENCRYPT using the same key K, the value of the nonce input N must be distinct. Function name: OCB-ENCRYPT Input: K, string of KEYLEN bits // Key N, string of up to BLOCKLEN-(TAGREP+1) bits // Nonce A, string of any length // Associated data P, string of any length // Plaintext Output: C, string of length bitlen(P) + TAGLEN bits // Ciphertext C is defined as follows. // // Key-dependent variables // L_* = ENCIPHER(K, zeros(BLOCKLEN)) L_$ = double(L_*) L_0 = double(L_$) L_i = double(L_{i-1}) for every integer i > 0 // // Consider P as a sequence of BLOCKLEN-bit blocks // Let m be the largest integer so that m * BLOCKLEN <= bitlen(P) Let P_1, P_2, ..., P_m and P_* be strings so that P == P_1 || P_2 || ... || P_m || P_*, and bitlen(P_i) == BLOCKLEN for each 1 <= i <= m. Note: P_* may possibly be the empty string. // // Nonce-dependent and per-encryption variables // Zerofill = zeros(BLOCKLEN-(TAGREP+1+bitlen(N))) Nonce = num2str(TAGLEN mod BLOCKLEN, TAGREP) || Zerofill || 1 || N bottom = str2num(Nonce[BLOCKLEN-MASKLEN+1..BLOCKLEN]) Ktop = ENCIPHER(K, Nonce[1..BLOCKLEN-MASKLEN] || zeros(MASKLEN)) ShiftedKtop = Ktop[1..BLOCKLEN-SHIFT] xor Ktop[1+SHIFT..BLOCKLEN] Stretch = Ktop || ShiftedKtop Offset_0 = Stretch[1+bottom..BLOCKLEN+bottom] Checksum_0 = zeros(BLOCKLEN) Krovetz Expires November 12, 2018 [Page 8]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 // // Process any whole blocks // for each 1 <= i <= m Offset_i = Offset_{i-1} xor L_{ntz(i)} C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) Checksum_i = Checksum_{i-1} xor P_i end for // // Process any final partial block and compute raw tag // if bitlen(P_*) > 0 then Offset_* = Offset_m xor L_* Pad = ENCIPHER(K, Offset_*) C_* = P_* xor Pad[1..bitlen(P_*)] PaddedP = P_* || 1 || zeros(BLOCKLEN-(bitlen(P_*)+1)) Checksum_* = Checksum_m xor PaddedP Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) else C_* = <empty string> Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A) end if // // Assemble ciphertext // C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN] 4.3. Decryption: OCB-DECRYPT This function computes a plaintext when given a ciphertext, associated data, nonce and key. An authentication tag is embedded in the ciphertext. If the tag is not correct for the ciphertext, associated data, nonce and key, then an INVALID signal is produced. Function name: OCB-DECRYPT Input: K, string of KEYLEN bits // Key N, string of up to BLOCKLEN-(TAGREP+1) bits // Nonce A, string of any length // Associated data C, string of at least TAGLEN bits // Ciphertext Output: P, string of length bitlen(C) - TAGLEN bits, // Plaintext or INVALID indicating authentication failure P is defined as follows. Krovetz Expires November 12, 2018 [Page 9]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 // // Key-dependent variables // L_* = ENCIPHER(K, zeros(BLOCKLEN)) L_$ = double(L_*) L_0 = double(L_$) L_i = double(L_{i-1}) for every integer i > 0 // // Consider C as a sequence of BLOCKLEN-bit blocks // Let m be the largest integer so m * BLOCKLEN <= bitlen(C) - TAGLEN Let C_1, C_2, ..., C_m, C_* and T be strings so that C == C_1 || C_2 || ... || C_m || C_* || T, bitlen(C_i) == BLOCKLEN for each 1 <= i <= m, and bitlen(T) == TAGLEN. Note: C_* may possibly be the empty string. // // Nonce-dependent and per-decryption variables // Zerofill = zeros(BLOCKLEN-(TAGREP+1+bitlen(N))) Nonce = num2str(TAGLEN mod BLOCKLEN, TAGREP) || Zerofill || 1 || N bottom = str2num(Nonce[BLOCKLEN-MASKLEN+1..BLOCKLEN]) Ktop = ENCIPHER(K, Nonce[1..BLOCKLEN-MASKLEN] || zeros(MASKLEN)) ShiftedKtop = Ktop[1..BLOCKLEN-SHIFT] xor Ktop[1+SHIFT..BLOCKLEN] Stretch = Ktop || ShiftedKtop Offset_0 = Stretch[1+bottom..BLOCKLEN+bottom] Checksum_0 = zeros(BLOCKLEN) // // Process any whole blocks // for each 1 <= i <= m Offset_i = Offset_{i-1} xor L_{ntz(i)} P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) Checksum_i = Checksum_{i-1} xor P_i end for // // Process any final partial block and compute raw tag // if bitlen(C_*) > 0 then Offset_* = Offset_m xor L_* Pad = ENCIPHER(K, Offset_*) P_* = C_* xor Pad[1..bitlen(C_*)] PaddedP = P_* || 1 || zeros(BLOCKLEN-bitlen(P_*)-1) Checksum_* = Checksum_m xor PaddedP Krovetz Expires November 12, 2018 [Page 10]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) else P_* = <empty string> Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A) end if // // Check for validity and assemble plaintext // if (Tag[1..TAGLEN] == T) then P = P_1 || P_2 || ... || P_m || P_* else P = INVALID end if 5. Security Considerations What follows is a duplicate of the Security Considerations section of RFC 7523 with numeric literals replaced by their symbolic equivalents. With the ability to change BLOCKLEN comes two important additional considerations. The amount of data that can safely be processed using a single key is related to BLOCKLEN: a larger BLOCKLEN allows more data whereas a smaller BLOCKLEN allows less. Also, authentication tag lengths are limited to BLOCKLEN bits, which means that using OCB with a small BLOCKLEN forces the use of small tags. In all cases, but especially when reducing BLOCKLEN, a careful evaluation of an application's security requirements should be conducted and only if OCB, with a particular BLOCKLEN, meets those requirements should it be used. OCB achieves two security properties, confidentiality and authenticity. Confidentiality is defined via "indistinguishability from random bits", meaning that an adversary is unable to distinguish OCB-outputs from an equal number of random bits. Authenticity is defined via "authenticity of ciphertexts", meaning that an adversary is unable to produce any valid nonce-ciphertext pair that it has not already acquired. The security guarantees depend on the underlying blockcipher being secure in the sense of a strong pseudorandom permutation. Thus if OCB is used with a blockcipher that is not secure as a strong pseudorandom permutation, the security guarantees vanish. The need for the strong pseudorandom permutation property means that OCB should be used with a conservatively designed, well- trusted blockcipher, such as AES. Both the confidentiality and the authenticity properties of OCB degrade as per s^2 / 2^BLOCKLEN, where s is the total number of blocks that the adversary acquires. The consequence of this formula is that the proven security disappears when s becomes as large as Krovetz Expires November 12, 2018 [Page 11]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 2^(BLOCKLEN/2). Thus the user should never use a key to generate an amount of ciphertext that is near to, or exceeds, 2^(BLOCKLEN/2) blocks. In order to ensure that s^2 / 2^BLOCKLEN remains less than about 1/2^32, a given key should be used to encrypt at most 2^(BLOCKLEN/2-16) blocks, including the associated data. To ensure these limits are not crossed, automated key management is recommended in systems exchanging large amounts of data [RFC4107]. When a ciphertext decrypts as INVALID it is the implementor's responsibility to make sure that no information beyond this fact is made adversarially available. OCB encryption and decryption produce an internal BLOCKLEN-bit authentication tag. The parameter TAGLEN determines how many bits of this internal tag are included in ciphertexts and used for authentication. The value of TAGLEN has two impacts: An adversary can trivially forge with probability 2^{-TAGLEN}, and ciphertexts are TAGLEN bits longer than their corresponding plaintexts. It is up to the application designer to choose an appropriate value for TAGLEN. Long tags cost no more computationally than short ones. Normally, a given key should be used to create ciphertexts with a single tag length, TAGLEN, and an application should reject any ciphertext that claims authenticity under the same key but a different tag length. While the ciphertext core and all of the bits of the tag do depend on the tag length, this is done for added robustness against misuse and should not suggest that receivers accept ciphertexts employing variable tag lengths under a single key. Timing attacks are not a part of the formal security model and an implementation should take care to mitigate them in contexts where this is a concern. To render timing attacks impotent, the amount of time to encrypt or decrypt a string should be independent of the key and the contents of the string. The only explicitly conditional OCB operation that depends on private data is double(), which means that using constant-time blockcipher and double() implementations eliminates most (if not all) sources of timing attacks on OCB. Power-usage attacks are likewise out of scope of the formal model, and should be considered for environments where they are threatening. The OCB encryption scheme reveals in the ciphertext the length of the plaintext. Sometimes the length of the plaintext is a valuable piece of information that should be hidden. For environments where "traffic analysis" is a concern, techniques beyond OCB encryption (typically involving padding) would be necessary. Defining the ciphertext that results from OCB-ENCRYPT to be the pair (C_1 || C_2 || ... || C_m || C_*, Tag[1..TAGLEN]) instead of the Krovetz Expires November 12, 2018 [Page 12]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 concatenation C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN] introduces no security concerns. Because TAGLEN is fixed, both versions allow ciphertexts to be parsed unambiguously. 5.1. Nonce Requirements It is crucial that, as one encrypts, one does not repeat a nonce. The inadvertent reuse of the same nonce by two invocations of the OCB encryption operation, with the same key, but with distinct plaintext values, undermines the confidentiality of the plaintexts protected in those two invocations, and undermines all of the authenticity and integrity protection provided by that key. For this reason, OCB should only be used whenever nonce uniqueness can be provided with certainty. Note that it is acceptable to input the same nonce value multiple times to the decryption operation. We emphasize that the security consequences are quite serious if an attacker observes two ciphertexts that were created using the same nonce and key values, unless the plaintext and AD values in both invocations of the encrypt operation were identical. First, a loss of confidentiality ensues because the attacker will be able to infer relationships between the two plaintext values. Second, a loss of authenticity ensues because the attacker will be able to recover secret information used to provide authenticity, making subsequent forgeries trivial. Note that there are AEAD schemes, particularly SIV [RFC5297], appropriate for environments where nonces are unavailable or unreliable. OCB is not such a scheme. Nonces need not be secret, and a counter may be used for them. If two parties send OCB-encrypted plaintexts to one another using the same key, then the space of nonces used by the two parties must be partitioned so that no nonce that could be used by one party to encrypt could be used by the other to encrypt (eg, odd and even counters). 6. IANA Considerations The Internet Assigned Numbers Authority (IANA) has defined a registry for Authenticated Encryption with Associated Data parameters. This document does not specify any concrete AEAD schemes, so contributes nothing to the registry. Any AEAD scheme based on this document, where a permanently registered identifier would be useful, should register such identifier with IANA [RFC5116]. 7. Acknowledgements During a short period of 2017 three people inquired about extending OCB to blockciphers with blocklengths other than 128-bits. Thanks go to Jeffrey Walton, Mark Wooding, and Uri Blumenthal for providing the Krovetz Expires November 12, 2018 [Page 13]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 motivation for this work. Mark Wooding has been especially helpful, providing the basis for the code in Appendix B and corroborating test vectors by writing an independent implementation. 8. References 8.1. Normative References [Polys] Seroussi, G., "Table of low-weight binary irreducible polynomials", Hewlett-Packard technical report HPL-98-135, August 1998. [RFC7523] Krovetz, T. and P. Rogaway, "The OCB authenticated- encryption algorithm", RFC 7523, May 2014. 8.2. Informative References [OCB] Krovetz, T. and P. Rogaway, "The software performance of authenticated-encryption modes", in Fast Software Encryption - FSE 2011, Springer, 2011. [RC6] Rivest, R., Robshaw, M., Sidney, R., and Y. Yin, "The RC6 block cipher", Posted on RSA Data Security website August 20, 1998. [RFCRC6] Krovetz, T., "RC6 and RC5 test vectors for multiple block sizes", RFC XXXX, November 2018. [RFC4107] Bellovin, S. and R. Housley, "Guidelines for cryptographic key management", RFC 4107, June 2005. [RFC5116] McGrew, D., "An interface and algorithms for authenticated encryption", RFC 5116, January 2008. [RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) authenticated encryption using the Advanced Encryption Standard (AES)", RFC 5297, October 2008. [Sage] The Sage Developers, "SageMath, the Sage Mathematics Software System (Version 7.6)", DOI 10.5281/zenodo.820864, 2017, <http://www.sagemath.org/>. Appendix A. Sample Results This section gives sample outputs for various inputs using OCB and blockciphers with blocklengths other than 128. In each case, an instance of RC6 is used for the blockcipher [RC6]. The name RC6-w/r/ Krovetz Expires November 12, 2018 [Page 14]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 b refers to RC6 with a 4w-bit blocklength, r internal rounds, and a b-byte key. There are too many possible cases to consider for this section to be exhaustive. Instead a small number of examples are shown in detail with many significant variable assignments in the pseudocode shown. This will help an implementor find most basic errors. Further validation could then be accomplished by comparison with a reference implementation over a much more thorough selection of inputs. Each of the following entries indicates the blockcipher and tag length used followed by the values K, N, A, P, C, indicating that plaintext P with associated data A when encrypted using OCB with key K, and nonce N, yields ciphertext C (which includes the tag). All strings are represented in hexadecimal (eg, 0F represents the bitstring 00001111). An empty entry indicates the empty string. A.1. Example 1: 64-bit Blockcipher, 0-byte Input K: 000102030405060708090A0B0C0D0E0F N: 000102030405 A: P: C: 474D57A4043E Assignments during HASH(K,A) L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Sum: 0000000000000000 Assignments during OCB-ENCRYPT L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Nonce: C001000102030405 bottom: 5 Ktop: 8298E905914FB488 Stretch: 8298E905914FB48889BA766C814FB488 Offset_0: 531D20B229F69111 Tag: 474D57A4043E7768 A.2. Example 2: 64-bit Blockcipher, 4-byte Input Krovetz Expires November 12, 2018 [Page 15]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 RC6-16/16/16 (64-bit blocks), 48-bit tags K: 000102030405060708090A0B0C0D0E0F N: 000102030405 A: 00010203 P: 00010203 C: B75BF470BB0B354C5B92 Assignments during HASH(K,A) L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Offset_*: 39EF0C3FF4475894 CipherInput: 39EE0E3C74475894 Sum: 48068A4FD12ABB4C Assignments during OCB-ENCRYPT L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Nonce: C001000102030405 bottom: 5 Ktop: 8298E905914FB488 Stretch: 8298E905914FB48889BA766C814FB488 Offset_0: 531D20B229F69111 Offset_*: 6AF22C8DDDB1C985 Pad: B75AF6732D339D4B PaddedP: 0001020380000000 Checksum_*: 0001020380000000 C_*: B75BF470 Tag: BB0B354C5B92CBAA A.3. Example 3: 64-bit Blockcipher, 8-byte Input Krovetz Expires November 12, 2018 [Page 16]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 RC6-16/16/16 (64-bit blocks), 48-bit tags K: 000102030405060708090A0B0C0D0E0F N: 000102030405 A: 0001020304050607 P: 0001020304050607 C: 882A4FFE11B0E540D41F335172BD Assignments during HASH(K,A) L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 L_0: E7BC30FFD11D6250 Offset_1: E7BC30FFD11D6250 Sum_1: E3549C18B6F398EB Sum: E3549C18B6F398EB Assignments during OCB-ENCRYPT L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Nonce: C001000102030405 bottom: 5 Ktop: 8298E905914FB488 Stretch: 8298E905914FB48889BA766C814FB488 Offset_0: 531D20B229F69111 L_0: E7BC30FFD11D6250 Offset_1: B4A1104DF8EBF341 Checksum_1: 0001020304050607 C_1: 882A4FFE11B0E540 Tag: D41F335172BD43B7 A.4. Example 4: 64-bit Blockcipher, 20-byte Input Krovetz Expires November 12, 2018 [Page 17]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 RC6-16/16/16 (64-bit blocks), 48-bit tags K: 000102030405060708090A0B0C0D0E0F N: 000102030405 A: 000102030405060708090A0B0C0D0E0F10111213 P: 000102030405060708090A0B0C0D0E0F10111213 C: 882A4FFE11B0E540F218C902D76A601F90DF1E27BD403C47DF4E Assignments during HASH(K,A) L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 L_0: E7BC30FFD11D6250 Offset_1: E7BC30FFD11D6250 Sum_1: E3549C18B6F398EB L_1: CF7861FFA23AC4BB Offset_2: 28C451007327A6EB Sum_2: FADB0507B1DA1433 Offset_*: 112B5D3F8760FE7F CipherInput: 013A4F2C0760FE7F Sum: D761B0AFAA584CF7 Assignments during OCB-ENCRYPT L_*: 39EF0C3FF4475894 L_$: 73DE187FE88EB128 Nonce: C001000102030405 bottom: 5 Ktop: 8298E905914FB488 Stretch: 8298E905914FB48889BA766C814FB488 Offset_0: 531D20B229F69111 L_0: E7BC30FFD11D6250 Offset_1: B4A1104DF8EBF341 Checksum_1: 0001020304050607 C_1: 882A4FFE11B0E540 L_1: CF7861FFA23AC4BB Offset_2: 7BD971B25AD137FA Checksum_2: 0808080808080808 C_2: F218C902D76A601F Offset_*: 42367D8DAE966F6E Pad: 80CE0C34E04B0990 PaddedP: 1011121380000000 Checksum_*: 18191A1B88080808 C_*: 90DF1E27 Tag: BD403C47DF4ED926 Krovetz Expires November 12, 2018 [Page 18]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 A.5. Example 5: 256-bit Blockcipher, 80-byte Input RC6-64/16/16 (256-bit blocks), 256-bit tags K: 000102030405060708090A0B0C0D0E0F N: 000102030405060708090A0B A: 000102030405060708090A0B0C0D0E0F 101112131415161718191A1B1C1D1E1F 202122232425262728292A2B2C2D2E2F 303132333435363738393A3B3C3D3E3F 404142434445464748494A4B4C4D4E4F P: 000102030405060708090A0B0C0D0E0F 101112131415161718191A1B1C1D1E1F 202122232425262728292A2B2C2D2E2F 303132333435363738393A3B3C3D3E3F 404142434445464748494A4B4C4D4E4F C: 5327CF07146F7B51A5D7AABA93D7F626 2F65ED3931815A5EF681217EBBF2BB13 F464772416E08D4BEAC37DFD8F614D98 AD7D58B1A63A24BB1CFE491D02AE28ED BC6D07CF935C31FC81361EA46FBF568F E4E72EE35BBD8FBBD04B2FCDB9656044 A9EFE1140327CEBB9A1750CDBD1BD3EC Assignments during HASH(K,A) L_*: 6E75A413F50216C512AD330BFABE641B 50E88C29BE5980AA2A09E43990125CBB L_$: DCEB4827EA042D8A255A6617F57CC836 A1D118537CB301545413C8732024B976 L_0: B9D6904FD4085B144AB4CC2FEAF9906D 43A230A6F96602A8A82790E6404976C9 Offset_1: B9D6904FD4085B144AB4CC2FEAF9906D 43A230A6F96602A8A82790E6404976C9 Sum_1: B1836672FE03B925800743FF4DE116B3 C09C00B396CB20B058FAD1AEC4171F57 L_1: 73AD209FA810B6289569985FD5F320DA 8744614DF2CC0551504F21CC8092E9B7 Offset_2: CA7BB0D07C18ED3CDFDD54703F0AB0B7 C4E651EB0BAA07F9F868B12AC0DB9F7E Sum_2: C16F97D1E09FA431655057CF582E8F32 FAE7971E00DB1EA56E7BA4AC493ECD8F Offset_*: A40E14C3891AFBF9CD70677BC5B4D4AC 940EDDC2B5F38753D261551350C9C3C5 CipherInput: E44F5680CD5FBDBE85392D3089F99AE3 140EDDC2B5F38753D261551350C9C3C5 Sum: 964A5EA730124E1EA6CD7874A58F449C 5C3B2ED878115CC292A021FAF261B4FD Krovetz Expires November 12, 2018 [Page 19]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 Assignments during OCB-ENCRYPT L_*: 6E75A413F50216C512AD330BFABE641B 50E88C29BE5980AA2A09E43990125CBB L_$: DCEB4827EA042D8A255A6617F57CC836 A1D118537CB301545413C8732024B976 Nonce: 00000000000000000000000000000000 00000001000102030405060708090A0B bottom: 11 Ktop: 67DB009692E6C7CCEFBFE4F9B810544E DBD469326F0CBA90F94D02A6A85C7C9B Stretch: 67DB009692E6C7CCEFBFE4F9B810544E DBD469326F0CBA90F94D02A6A85C7C9B A86D01BBB72B485530C02D0AC830FCD3 6C7CBB56B115CFB10BD707EBF8E485AD Offset_0: D804B497363E677DFF27CDC082A276DE A349937865D487CA68153542E3E4DD43 L_0: B9D6904FD4085B144AB4CC2FEAF9906D 43A230A6F96602A8A82790E6404976C9 Offset_1: 61D224D8E2363C69B59301EF685BE6B3 E0EBA3DE9CB28562C032A5A4A3ADAB8A Checksum_1: 000102030405060708090A0B0C0D0E0F 101112131415161718191A1B1C1D1E1F C_1: 5327CF07146F7B51A5D7AABA93D7F626 2F65ED3931815A5EF681217EBBF2BB13 L_1: 73AD209FA810B6289569985FD5F320DA 8744614DF2CC0551504F21CC8092E9B7 Offset_2: 127F04474A268A4120FA99B0BDA8C669 67AFC2936E7E8033907D8468233F423D Checksum_2: 20202020202020202020202020202020 20202020202020202020202020202020 C_2: F464772416E08D4BEAC37DFD8F614D98 AD7D58B1A63A24BB1CFE491D02AE28ED Offset_*: 7C0AA054BF249C843257AABB4716A272 37474EBAD0270099BA746051B32D1E86 Pad: FC2C458CD71977BBC97F54EF23F218C0 7C6AD1938FDE8374AF27960469595171 PaddedP: 404142434445464748494A4B4C4D4E4F 80000000000000000000000000000000 Checksum_*: 606162636465666768696A6B6C6D6E6F A0202020202020202020202020202020 C_*: BC6D07CF935C31FC81361EA46FBF568F Tag: E4E72EE35BBD8FBBD04B2FCDB9656044 A9EFE1140327CEBB9A1750CDBD1BD3EC Krovetz Expires November 12, 2018 [Page 20]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 A.6. Example 6: Extended Tests The following VALIDATE[B] algorithm tests a wider variety of inputs. Parameter B indicates that throughout the validation RC6-(B/4)/16/16 (ie, RC6 with B-bit blocklength, 16 rounds, and 16-byte keys) is the blockcipher used. Please note that when B is not a power of two, then the non-standard version of RC6 documented in [RFCRC6] is used. In all cases TAGLEN is min(B, 256). Function name: VALIDATE[B] Output: Y, string of length min(B, 256) bits Y is defined as follows. K = 000102030405060708090A0B0C0D0E0F C = <empty string> for i = 0 to 127 do S = (0x00 || 0x01 || 0x02 || ...)[1..8i] N = num2str(3i+1,16) C = C || OCB-ENCRYPT(K,N,S,S) N = num2str(3i+2,16) C = C || OCB-ENCRYPT(K,N,<empty string>,S) N = num2str(3i+3,16) C = C || OCB-ENCRYPT(K,N,S,<empty string>) end for N = num2str(385,16) Y = OCB-ENCRYPT(K,N,C,<empty string>) Iteration i of the loop adds 2i + (3 * TAGLEN / 8) bytes to C, resulting in an ultimate length for C of 16256 + 48 * TAGLEN bytes. The final OCB-ENCRYPT has an empty plaintext component, so serves only to authenticate C. The output values should be: Krovetz Expires November 12, 2018 [Page 21]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 VALIDATE[32] == 5A126BD4 VALIDATE[64] == 21CE70BE54BDD72D VALIDATE[96] == 1014F0D84D8060DC47752BAA VALIDATE[128] == 7F9A12DE01C2C3150EBB2593D6531EA4 VALIDATE[192] == 9A078741E919C04D27D788225F4EDC99 EB0864E3AA36C194 VALIDATE[256] == 4D40016D7A255F603110AF8157863D4C C392A2A2026C3CADF275583659389A84 VALIDATE[384] == 64973A1E77815999A50E9B2A0BAFE802 F00F821D5B34E1F63E0D4DF6BA50F600 VALIDATE[512] == 2CE8DA2D843D7373FA138C663305EC25 88FBCCE30DE426E99644E777F3FBCFD5 VALIDATE[768] == 37848B8A255C73CE0EE3BE5C8277340C BE64B54178B8731E052ECEC6BE9E5A07 VALIDATE[1024] == 439667F8BFFFC9D4C16E5CB3DE921F7D AD0B76463AB56321EDB68F2D1D2AEEC0 VALIDATE[1600] == 794CCD79BC11854275C924DF56CB82F2 C443631EF9F9F90251DC6DDC2CCF7F08 Appendix B. Generating RESIDUE, SHIFT, MASKLEN, TAGREP Constants OCB, as defined in [RFC7523] and [OCB], uses several "magic numbers" when manipulating 128-bit blocks (135, 8, 6 and 7 for RESIDUE, SHIFT, MASKLEN and TAGREP). These constants are carefully chosen and depend on BLOCKLEN. A table in Section 3.1 gives values for other assorted blocklengths and this section describes how to produce the values for more blocklengths if needed. Finding MASKLEN and SHIFT for a particular BLOCKLEN begins by following the process described in Section 4.1 of [OCB]. The result of that process is the domain size for every possible shift, 1 through BLOCKLEN-1, in the stretch-then-shift hash used internally by OCB. With that information, MASKLEN and SHIFT are determined as follows. Define MASKLEN as the floor of the base-2 logarithm of the largest domain size found. Keep as SHIFT candidates all shifts with domain sizes of at least 2^MASKLEN. These all provide equal security, but we want a shift that allows efficient implementation too. A shift equal to a large power-of-two would be ideal, but not all BLOCKLEN values produce candidate shifts with that property. Of all the shifts with domains of at least 2^MASKLEN, we continue to keep as candidates those shift values that are minimal modulo 8 (if this minima is equal to zero, then shifts can be performed using byte manipulations). Finally, we prefer shifts that are close to a large power-of-two, so of the remaining candidates, we choose for SHIFT one whose value modulo 8 and modulo 2^k is equal for the largest k, and if more than one has this property we settle on the smallest of those that do. The Sage script at the end of this section makes explicit this process and was run using SageMath 7.6 to generate all of the Krovetz Expires November 12, 2018 [Page 22]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 MASKLEN and SHIFT values given in Section 3.1 [Sage]. Its list of blocklengths can be edited and the script rerun to determine other MASKLEN and SHIFT values. For the other two constants, TAGREP is defined as min(8, t) where t is the smallest integer making 2^t >= BLOCKLEN, and RESIDUE is extracted from [Polys]. To determine a RESIDUE for BLOCKLEN, find the entry whose largest number is BLOCKLEN and let S be the set of numbers other than BLOCKLEN in this entry. Then, RESIDUE = 1 + sum({2^x | x in S}). For example, when BLOCKLEN is 122 we find the entry "122,6,2,1" making S == {6,2,1}. In this case RESIDUE == 1 + 2^6 + 2^2 + 2^1 == 71. B.1. Sage Script For Generating MASKLEN and SHIFT Krovetz Expires November 12, 2018 [Page 23]

Internet-Draft OCB for non-128-bit cipher blocks May 2018 <CODE BEGINS> # w will iterate over these blocklengths. Edit list as you wish. for w in [32, 64, 96, 128, 192, 256, 384, 512, 768, 1024, 1600]: domsize = [0] # domsize[i] will contain domain size of shift i # Find domain size for each possible shift c in 1..w-1 for c in range(1, w): # Build A matrix as specified in Section 4.1 of [OCB] I_rows = [[j == i for j in range(w)] for i in range(w)] J_rows = [[j == i or j == i + c for j in range(w)] for i in range(w)] IJ = matrix(GF(2), I_rows + J_rows) A = [IJ[i:i + w, 0:w] for i in range(w)] # Find number of qualifying sub-matrices (ie, domain size) i = 0 # increase i until not full-rank dom = w # Set dom=i ends loop & sets dom to domain size while i < dom: if A[i].rank() < w: dom=i j = 0 while j < i and i < dom: if (A[i] + A[j]).rank() < w: dom=i j = j + 1 i = i + 1 domsize.append(dom) # set domsize[c] = dom # Generate shifts that are secure, in preference order domain_bits = floor(log(max(domsize), 2)) candidates = (k for i in range(8) for j in range(floor(log(w, 2)),2,-1) for k in range(i,w,2**j) if domsize[k] >= 2**domain_bits) # Print the first one found, or -1 if none print("block bits: %d, mask bits: %d, shift bits: %d" % (w, domain_bits, next(candidates,-1))) <CODE ENDS> Author's Address Krovetz Expires November 12, 2018 [Page 24]

```
Internet-Draft OCB for non-128-bit cipher blocks May 2018
Ted Krovetz
Computer Science Department
California State University
6000 J Street
Sacramento, CA 95819-6021
USA
Email: ted@krovetz.net
Krovetz Expires November 12, 2018 [Page 25]
```