Re: ECB+CTR Mode?

From: Mark Wooding (
Date: 08/11/03

Date: 11 Aug 2003 16:00:00 GMT

Tom St Denis <> wrote:

> Last I checked OBC [or what not]

OCB, by Phillip Rogaway.

> was the only mode to provide both security and authentication.

Err... I presume you mean `secrecy' where you said `security'. Both
secrecy and authenticity are security goals, and there are others. And
you're wrong. Check out Jutla's IACBC and IAPM, and Gligor and
Donescu's XECB and XCBC; and then see EAX (Bellare, Rogaway, and Wagner)
and CWC (Kohno, Viega, and Whiting). All of these come with security
proofs, and I have no reason to think they're invalid.

> Ironically the NIST standard "OMAC" only provides a MAC

Your idea of irony is very odd. And it looks to me as if OMAC does what
it says on the tin.

> [so you might as well use HMAC since it will allow you to use other
> hashes with bigger digest sizes].

Depends. Many applications will truncate MAC tags, because they need
only be unpredictable in their entirety. A 128-bit tag is quite
sufficient for most applications, and using the same 128-bit block
cipher for both means that you don't have to assume the security of some
hash function like SHA1.

> The problem is you need extra entropy to tell the end user the message
> is correct.

Indeed. Hoping that the next layer up can detect garbles is hopeless.
Suppose that what's being transmitted is key material (and hence
random), for example!

-- [mdw]

Relevant Pages

  • Re: Wireless wiretapping unconstitutional
    ... I object to the secrecy about this. ... that the terrorists were planning to mix up on the plane, ... officials responsible for security. ... Congress is under control of the Republicans who won't ...
  • Re: Back Doors (was: EXCP with a DEB)
    ... The first thing to do upon finding a security hole is to notify the vendor. ... IBM will generally understand the hole, and fix it within a reasonable time. ... Said someone else might use the security hole maliciously, ... Secrecy is only beneficial to security in limited circumstances, and certainly not with respect to vulnerability or reliability information. ...
  • RE: Concepts: Security and Obscurity
    ... I don't think port-knocking qualifies as "security ... One of the government's major concerns about the NY Times disclosure ... -- then it's not Security Through Obscurity. ... and does not rely on the secrecy of the mechanism. ...
  • Re: Question about Fortuna and repeating blocks
    ... with forward security. ... Fortuna rekeys after every 'use', which it does for forward secrecy, ... would expect close to one collision on the block values." ... During the discussion of the 2^16 block limit, ...
  • Re: ECB+CTR Mode?
    ... Mark Wooding wrote: ... | Tom St Denis wrote: ... | OCB, by Phillip Rogaway. ... | secrecy and authenticity are security goals, ...