Hi Niels :) "Niels Möller" <ni...@lysator.liu.se> writes:
> I've now merged OCB support to the master branch. Some changes from the > development branch: Sweet! I can confirm that it performs as expected on our test vectors. > * I moved the corresponding nettle_aead struct to an internal header for > now. Used for tests and benchmarks, but it's unclear to which nonce > size and tag size are going to be used. IETF protocols using AEAD seem > to favor 12 byte (96 bit) nonces, but after a quick look at openpgp, > it seems to use a 15 byte nonce? Yes we do. I recall that 12 byte were perceived as being on the short end, and that some brought that up against GCM. https://openpgp-wg.gitlab.io/rfc4880bis/#name-ocb-mode To encrypt the payload, we use a version 2 SEIPD packet. https://openpgp-wg.gitlab.io/rfc4880bis/#name-version-2-sym-encrypted-int Notably: A v2 SEIPD packet consists of one or more chunks of data. The plaintext of each chunk is of a size specified using the chunk size octet using the method specified below. The encrypted data consists of the encryption of each chunk of plaintext, followed immediately by the relevant authentication tag. If the last chunk of plaintext is smaller than the chunk size, the ciphertext for that data may be shorter; it is nevertheless followed by a full authentication tag. For each chunk, the AEAD construction is given the Packet Tag in OpenPGP format encoding (bits 7 and 6 set, bits 5-0 carry the packet tag), version number, cipher algorithm octet, AEAD algorithm octet, and chunk size octet as additional data. For example, the additional data [..] using EAX and AES-128 with a chunk size of 2**22 octets consists of the octets 0xD2, 0x02, 0x07, 0x01, and 0x10. After the final chunk, the AEAD algorithm is used to produce a final authentication tag encrypting the empty string. This AEAD instance is given the additional data specified above, plus an eight-octet, big-endian value specifying the total number of plaintext octets encrypted. This allows detection of a truncated ciphertext. [...] The nonce for AEAD mode consists of two parts. Let N be the size of the nonce. The left-most N - 64 bits are the initialization vector derived using HKDF. The right-most 64 bits are the chunk index as big-endian value. The index of the first chunk is zero. In short, the AAD is fixed, the nonce is a 64 bit counter with a random offset derived from key material using a KDF. If you think this scheme is problematic for some reason, we need to know that as soon as possible, as we are finalizing the draft. Best, Justus
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
