Re: ECB+CTR Mode?

From: Mark Wooding (
Date: 08/11/03

Date: 11 Aug 2003 16:00:00 GMT

Tom St Denis <> wrote:

> Last I checked OBC [or what not]

OCB, by Phillip Rogaway.

> was the only mode to provide both security and authentication.

Err... I presume you mean `secrecy' where you said `security'. Both
secrecy and authenticity are security goals, and there are others. And
you're wrong. Check out Jutla's IACBC and IAPM, and Gligor and
Donescu's XECB and XCBC; and then see EAX (Bellare, Rogaway, and Wagner)
and CWC (Kohno, Viega, and Whiting). All of these come with security
proofs, and I have no reason to think they're invalid.

> Ironically the NIST standard "OMAC" only provides a MAC

Your idea of irony is very odd. And it looks to me as if OMAC does what
it says on the tin.

> [so you might as well use HMAC since it will allow you to use other
> hashes with bigger digest sizes].

Depends. Many applications will truncate MAC tags, because they need
only be unpredictable in their entirety. A 128-bit tag is quite
sufficient for most applications, and using the same 128-bit block
cipher for both means that you don't have to assume the security of some
hash function like SHA1.

> The problem is you need extra entropy to tell the end user the message
> is correct.

Indeed. Hoping that the next layer up can detect garbles is hopeless.
Suppose that what's being transmitted is key material (and hence
random), for example!

-- [mdw]