Internet Research Task Force (IRTF)                           T. Krovetz
Request for Comments: 7253                              Sacramento State
Category: Informational                                       P. Rogaway
ISSN: 2070-1721                                                 UC Davis
                                                                May 2014
        
Internet Research Task Force (IRTF)                           T. Krovetz
Request for Comments: 7253                              Sacramento State
Category: Informational                                       P. Rogaway
ISSN: 2070-1721                                                 UC Davis
                                                                May 2014
        

The OCB Authenticated-Encryption Algorithm

OCB认证加密算法

Abstract

摘要

This document specifies OCB, a shared-key blockcipher-based encryption scheme that provides confidentiality and authenticity for plaintexts and authenticity for associated data. This document is a product of the Crypto Forum Research Group (CFRG).

本文档指定了OCB,这是一种基于共享密钥分组密码的加密方案,可为明文提供机密性和真实性,并为相关数据提供真实性。本文件是加密论坛研究组(CFRG)的产品。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表了互联网研究工作组(IRTF)加密论坛研究小组的共识。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7253.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7253.

Copyright Notice

版权公告

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Notation and Basic Operations ...................................4
   3. OCB Global Parameters ...........................................5
      3.1. Named OCB Parameter Sets and RFC 5116 Constants ............6
   4. OCB Algorithms ..................................................6
      4.1. Processing Associated Data: HASH ...........................6
      4.2. Encryption: OCB-ENCRYPT ....................................8
      4.3. Decryption: OCB-DECRYPT ....................................9
   5. Security Considerations ........................................11
      5.1. Nonce Requirements ........................................12
   6. IANA Considerations ............................................13
   7. Acknowledgements ...............................................13
   8. References .....................................................14
      8.1. Normative References ......................................14
      8.2. Informative References ....................................14
   Appendix A.  Sample Results .......................................15
        
   1. Introduction ....................................................2
   2. Notation and Basic Operations ...................................4
   3. OCB Global Parameters ...........................................5
      3.1. Named OCB Parameter Sets and RFC 5116 Constants ............6
   4. OCB Algorithms ..................................................6
      4.1. Processing Associated Data: HASH ...........................6
      4.2. Encryption: OCB-ENCRYPT ....................................8
      4.3. Decryption: OCB-DECRYPT ....................................9
   5. Security Considerations ........................................11
      5.1. Nonce Requirements ........................................12
   6. IANA Considerations ............................................13
   7. Acknowledgements ...............................................13
   8. References .....................................................14
      8.1. Normative References ......................................14
      8.2. Informative References ....................................14
   Appendix A.  Sample Results .......................................15
        
1. Introduction
1. 介绍

Schemes for authenticated encryption (AE) simultaneously provide for confidentiality and authentication. While this goal would traditionally be achieved by melding separate encryption and authentication mechanisms, each using its own key, integrated AE schemes intertwine what is needed for confidentiality and what is needed for authenticity. By conceptualizing AE as a single cryptographic goal, AE schemes are less likely to be misused than conventional encryption schemes. Also, integrated AE schemes can be significantly faster than what one sees from composing separate confidentiality and authenticity means.

认证加密(AE)方案同时提供机密性和认证。虽然这一目标传统上是通过融合单独的加密和身份验证机制来实现的,每个机制都使用自己的密钥,但集成的AE方案将保密性和真实性所需的内容交织在一起。通过将AE概念化为单个加密目标,AE方案比传统加密方案更不可能被误用。此外,集成的AE方案可以比组成单独的机密性和真实性手段的速度快得多。

When an AE scheme allows for the authentication of unencrypted data at the same time that a plaintext is being encrypted and authenticated, the scheme is an authenticated encryption with associated data (AEAD) scheme. Associated data can be useful when, for example, a network packet has unencrypted routing information and an encrypted payload.

当AE方案允许在加密和验证明文的同时对未加密数据进行身份验证时,该方案是一个认证的关联数据加密(AEAD)方案。例如,当网络分组具有未加密的路由信息和加密的有效负载时,相关联的数据可能是有用的。

OCB is an AEAD scheme that depends on a blockcipher. This document fully defines OCB encryption and decryption except for the choice of the blockcipher and the length of authentication tag that is part of the ciphertext. The blockcipher must have a 128-bit blocksize. Each choice of blockcipher and tag length specifies a different variant of OCB. Several AES-based variants are defined in Section 3.1.

OCB是一种依赖于分组密码的AEAD方案。本文档完全定义了OCB加密和解密,但分组密码的选择和作为密文一部分的身份验证标签的长度除外。块密码必须具有128位的块大小。块密码和标记长度的每个选项都指定OCB的不同变体。第3.1节定义了几种基于AES的变体。

OCB encryption and decryption employ a nonce N, which must be distinct for each invocation of the OCB encryption operation. OCB requires the associated data A to be specified when one encrypts or decrypts, but it may be zero-length. The plaintext P and the associated data A can have any bitlength. The ciphertext C one gets by encrypting P in the presence of A consists of a ciphertext-core having the same length as P, plus an authentication tag. One can view the resulting ciphertext as either the pair (ciphertext-core, tag) or their concatenation (ciphertext-core || tag), the difference being purely how one assembles and parses ciphertexts. This document uses concatenation.

OCB加密和解密使用一个nonce N,它对于每次调用OCB加密操作都必须是不同的。OCB要求在加密或解密时指定关联的数据A,但其长度可能为零。明文P和相关联的数据A可以具有任何比特长度。密文C one通过在存在A的情况下对P进行加密而获得,该密文C one由具有与P相同长度的密文核心以及认证标记组成。人们可以将生成的密文视为一对(密文核心,标记)或它们的串联(密文核心| |标记),区别仅仅在于如何组合和解析密文。此文档使用连接。

OCB encryption protects the confidentiality of P and the authenticity of A, N, and P. It does this using, on average, about a + m + 1.02 blockcipher calls, where a is the blocklength of A, m is the blocklength of P, and the nonce N is implemented as a counter (if N is random, then OCB uses a + m + 2 blockcipher calls). If A is fixed during a session, then, after preprocessing, there is effectively no cost to having A authenticated on subsequent encryptions, and the mode will average m + 1.02 blockcipher calls. OCB requires a single key K for the underlying blockcipher, and all blockcipher calls are keyed by K. OCB is online. In particular, one need not know the length of A or P to proceed with encryption, nor need one know the length of A or C to proceed with decryption. OCB is parallelizable: the bulk of its blockcipher calls can be performed simultaneously. Computational work beyond blockcipher calls consists of a small and fixed number of logical operations per call. OCB enjoys provable security: the mode of operation is secure assuming that the underlying blockcipher is secure. As with most modes of operation, security degrades as the number of blocks processed gets large (see Section 5 for details).

OCB加密保护P的机密性以及A、N和P的真实性。它平均使用A+m+1.02块密码调用来实现这一点,其中A是A的块长度,m是P的块长度,nonce N作为计数器实现(如果N是随机的,则OCB使用A+m+2块密码调用)。如果在会话期间固定了,则在预处理之后,在后续加密上进行身份验证实际上没有成本,并且该模式将平均m+1.02个块密码调用。OCB要求基础块密码使用单个密钥K,所有块密码调用都由K设置密钥。OCB在线。特别是,进行加密时不需要知道A或P的长度,进行解密时也不需要知道A或C的长度。OCB是可并行的:它的大部分块密码调用可以同时执行。块密码调用之外的计算工作包括每次调用少量固定数量的逻辑操作。OCB享有可证明的安全性:假设底层块密码是安全的,则操作模式是安全的。与大多数操作模式一样,当处理的块数变大时,安全性会降低(有关详细信息,请参阅第5节)。

For reasons of generality, OCB is defined to operate on arbitrary bitstrings. But for reasons of simplicity and efficiency, most implementations will assume that strings operated on are bytestrings (i.e., strings that are a multiple of 8 bits). To promote interoperability, implementations of OCB that communicate with implementations of unknown capabilities should restrict all provided values (nonces, tags, plaintexts, ciphertexts, and associated data) to bytestrings.

出于通用性的原因,OCB被定义为对任意位字符串进行操作。但出于简单和高效的原因,大多数实现都会假设操作的字符串是bytestring(即8位的倍数的字符串)。为了促进互操作性,与未知功能实现通信的OCB实现应将所有提供的值(nonce、标记、明文、密文和相关数据)限制为bytestring。

The version of OCB defined in this document is a refinement of two prior schemes. The original OCB version was published in 2001 [OCB1] and was listed as an optional component in IEEE 802.11i. A second version was published in 2004 [OCB2] and is specified in ISO 19772. The scheme described here is called OCB3 in the 2011 paper describing the mode [OCB3]; it shall be referred to simply as OCB throughout this document. The only difference between the algorithm of this RFC

本文件中定义的OCB版本是对两个先前方案的改进。最初的OCB版本于2001年发布[OCB1],并在IEEE 802.11i中作为可选组件列出。第二个版本发布于2004年[OCB2],并在ISO 19772中进行了规定。这里描述的方案在2011年描述模式[OCB3]的论文中称为OCB3;在本文件中,简称OCB。此RFC的算法之间的唯一区别

and that of the [OCB3] paper is that the tag length is now encoded into the internally formatted nonce. See [OCB3] for complete references, timing information, and a discussion of the differences between the algorithms. OCB was initially the acronym for Offset Codebook but is now the algorithm's full name.

[OCB3]论文的内容是,标签长度现在被编码到内部格式化的nonce中。有关完整的参考资料、计时信息以及算法之间差异的讨论,请参见[OCB3]。OCB最初是Offset Codebook的首字母缩写,但现在是该算法的全称。

OCB has received years of in-depth analysis previous to its submission to the CFRG and has been under review by the members of the CFRG for over a year. It is the consensus of the CFRG that the security mechanisms provided by the OCB AEAD algorithm described in this document are suitable for use in providing confidentiality and authentication.

OCB在提交给CFRG之前已经收到了多年的深入分析,并且已经接受了CFRG成员一年多的审查。CFRG一致认为,本文件中描述的OCB AEAD算法提供的安全机制适用于提供机密性和身份验证。

2. Notation and Basic Operations
2. 符号与基本运算

There are two types of variables used in this specification, strings and integers. Although strings processed by most implementations of OCB will be strings of bytes, bit-level operations are used throughout this specification document for defining OCB. String variables are always written with an initial uppercase letter while integer variables are written in all lowercase. Following C's convention, a single equals ("=") indicates variable assignment and double equals ("==") is the equality relation. Whenever a variable is followed by an underscore ("_"), the underscore is intended to denote a subscript, with the subscripted expression requiring evaluation to resolve the meaning of the variable. For example, when i == 2, then P_i refers to the variable P_2.

本规范中使用了两种类型的变量:字符串和整数。虽然大多数OCB实现处理的字符串都是字节字符串,但本规范文档中使用位级操作来定义OCB。字符串变量总是以大写字母开头,而整数变量则全部以小写字母开头。按照C的约定,单等号(“=”)表示变量赋值,双等号(“=”)表示相等关系。每当一个变量后面跟一个下划线(“389;”),下划线就表示一个下标,下标表达式需要求值来解析变量的含义。例如,当i==2时,P_i指变量P_2。

c^i The integer c raised to the i-th power.

c^i提升到第i次方的整数c。

bitlen(S) The length of string S in bits (e.g., bitlen(101) == 3).

bitlen(S)以位为单位的字符串S的长度(例如,bitlen(101)=3)。

zeros(n) The string made of n zero bits.

零(n)由n个零位组成的字符串。

ntz(n) The number of trailing zero bits in the base-2 representation of the positive integer n. More formally, ntz(n) is the largest integer x for which 2^x divides n.

ntz(n)正整数n的基2表示形式中的尾随零位数。更正式地说,ntz(n)是2^x除以n的最大整数x。

S xor T The string that is the bitwise exclusive-or of S and T. Strings S and T will always have the same length.

S xor T是S和T的位异或字符串。字符串S和T的长度始终相同。

S[i] The i-th bit of the string S (indices begin at 1, so if S is 011, then S[1] == 0, S[2] == 1, S[3] == 1).

S[i]字符串S的第i位(索引从1开始,因此如果S为011,则S[1]==0,S[2]==1,S[3]==1)。

S[i..j] The substring of S consisting of bits i through j, inclusive.

S[i..j]S的子串,由i到j位组成,包括。

S || T String S concatenated with string T (e.g., 000 || 111 == 000111).

S | | T字符串S与字符串T连接(例如,000 | | 111==000111)。

str2num(S) The base-2 interpretation of bitstring S (e.g., str2num(1110) == 14).

str2num(S)位字符串S的基2解释(例如,str2num(1110)==14)。

num2str(i,n) The n-bit string whose base-2 interpretation is i (e.g., num2str(14,4) == 1110 and num2str(1,2) == 01).

num2str(i,n)其基2解释为i的n位字符串(例如,num2str(14,4)==1110和num2str(1,2)==01)。

   double(S)     If S[1] == 0, then double(S) == (S[2..128] || 0);
                 otherwise, double(S) == (S[2..128] || 0) xor
                 (zeros(120) || 10000111).
        
   double(S)     If S[1] == 0, then double(S) == (S[2..128] || 0);
                 otherwise, double(S) == (S[2..128] || 0) xor
                 (zeros(120) || 10000111).
        
3. OCB Global Parameters
3. OCB全局参数

To be complete, the algorithms in this document require specification of two global parameters: a blockcipher operating on 128-bit blocks and the length of authentication tags in use.

完整地说,本文中的算法需要指定两个全局参数:操作128位块的块密码和使用的身份验证标签的长度。

Specifying a blockcipher implicitly defines the following symbols.

指定块密码会隐式定义以下符号。

KEYLEN The blockcipher's key length in bits.

KEYLEN块密码的密钥长度(以位为单位)。

ENCIPHER(K,P) The blockcipher function mapping 128-bit plaintext block P to its corresponding ciphertext block using KEYLEN-bit key K.

加密(K,P)使用KEYLEN位密钥K将128位明文块P映射到其相应密文块的块密码函数。

DECIPHER(K,C) The inverse blockcipher function mapping 128-bit ciphertext block C to its corresponding plaintext block using KEYLEN-bit key K.

使用KEYLEN位密钥K解密(K,C)将128位密文块C映射到其对应的明文块的逆块密码函数。

The TAGLEN parameter specifies the length of authentication tag used by OCB and may be any value up to 128. Greater values for TAGLEN provide greater assurances of authenticity, but ciphertexts produced by OCB are longer than their corresponding plaintext by TAGLEN bits. See Section 5 for details about TAGLEN and security.

TAGLEN参数指定OCB使用的身份验证标记的长度,可以是最大为128的任何值。TAGLEN的值越大,真实性的保证就越大,但OCB产生的密文比TAGLEN位对应的明文要长。有关标记和安全性的详细信息,请参见第5节。

As an example, if 128-bit authentication tags and AES with 192-bit keys are to be used, then KEYLEN is 192, ENCIPHER refers to the AES-192 cipher, DECIPHER refers to the AES-192 inverse cipher, and TAGLEN is 128 [AES].

例如,如果要使用128位身份验证标签和带有192位密钥的AES,则KEYLEN为192,ENCIPHER为AES-192密码,DECIPHER为AES-192逆密码,TAGLEN为128[AES]。

3.1. Named OCB Parameter Sets and RFC 5116 Constants
3.1. 命名OCB参数集和RFC 5116常量

The following table gives names to common OCB global parameter sets. Each of the AES variants is defined in [AES].

下表给出了常用OCB全局参数集的名称。[AES]中定义了每个AES变体。

           +----------------------------+-------------+--------+
           | Name                       | Blockcipher | TAGLEN |
           +----------------------------+-------------+--------+
           | AEAD_AES_128_OCB_TAGLEN128 |   AES-128   |  128   |
           | AEAD_AES_128_OCB_TAGLEN96  |   AES-128   |   96   |
           | AEAD_AES_128_OCB_TAGLEN64  |   AES-128   |   64   |
           | AEAD_AES_192_OCB_TAGLEN128 |   AES-192   |  128   |
           | AEAD_AES_192_OCB_TAGLEN96  |   AES-192   |   96   |
           | AEAD_AES_192_OCB_TAGLEN64  |   AES-192   |   64   |
           | AEAD_AES_256_OCB_TAGLEN128 |   AES-256   |  128   |
           | AEAD_AES_256_OCB_TAGLEN96  |   AES-256   |   96   |
           | AEAD_AES_256_OCB_TAGLEN64  |   AES-256   |   64   |
           +----------------------------+-------------+--------+
        
           +----------------------------+-------------+--------+
           | Name                       | Blockcipher | TAGLEN |
           +----------------------------+-------------+--------+
           | AEAD_AES_128_OCB_TAGLEN128 |   AES-128   |  128   |
           | AEAD_AES_128_OCB_TAGLEN96  |   AES-128   |   96   |
           | AEAD_AES_128_OCB_TAGLEN64  |   AES-128   |   64   |
           | AEAD_AES_192_OCB_TAGLEN128 |   AES-192   |  128   |
           | AEAD_AES_192_OCB_TAGLEN96  |   AES-192   |   96   |
           | AEAD_AES_192_OCB_TAGLEN64  |   AES-192   |   64   |
           | AEAD_AES_256_OCB_TAGLEN128 |   AES-256   |  128   |
           | AEAD_AES_256_OCB_TAGLEN96  |   AES-256   |   96   |
           | AEAD_AES_256_OCB_TAGLEN64  |   AES-256   |   64   |
           +----------------------------+-------------+--------+
        

RFC 5116 defines an interface for authenticated-encryption schemes [RFC5116]. RFC 5116 requires the specification of certain constants for each named AEAD scheme. For each of the OCB parameter sets listed above: P_MAX, A_MAX, and C_MAX are all unbounded; N_MIN is 1 byte, and N_MAX is 15 bytes. The parameter sets indicating the use of AES-128, AES-192, and AES-256 have K_LEN equal to 16, 24, and 32 bytes, respectively.

RFC 5116为经过身份验证的加密方案定义了一个接口[RFC5116]。RFC 5116要求为每个命名的AEAD方案指定某些常量。对于上面列出的每个OCB参数集:P_MAX、A_MAX和C_MAX都是无界的;N_MIN为1字节,N_MAX为15字节。指示使用AES-128、AES-192和AES-256的参数集的K_LEN分别等于16、24和32字节。

Each ciphertext is longer than its corresponding plaintext by exactly TAGLEN bits, and TAGLEN is given at the end of each name. For instance, an AEAD_AES_128_OCB_TAGLEN64 ciphertext is exactly 64 bits longer than its corresponding plaintext.

每个密文的长度都比其对应的明文长整整一个TAGLEN位,TAGLEN位于每个名称的末尾。例如,AEAD_AES_128_OCB_TAGLEN64密文正好比其对应的明文长64位。

4. OCB Algorithms
4. OCB算法

OCB is described in this section using pseudocode. Given any collection of inputs of the required types, following the pseudocode description for a function will produce the correct output of the promised type.

本节使用伪代码描述OCB。给定所需类型的任何输入集合,遵循函数的伪代码描述将生成承诺类型的正确输出。

4.1. Processing Associated Data: HASH
4.1. 处理关联数据:哈希

OCB has the ability to authenticate unencrypted associated data at the same time that it provides for authentication and encrypts a plaintext. The following hash function is central to providing this functionality. If an application has no associated data, then the associated data should be considered to exist and to be the empty string. HASH, conveniently, always returns zeros(128) when the associated data is the empty string.

OCB能够在提供身份验证和加密明文的同时对未加密的关联数据进行身份验证。以下哈希函数是提供此功能的核心。如果应用程序没有关联的数据,那么关联的数据应该被视为存在并且是空字符串。当关联的数据是空字符串时,哈希总是方便地返回零(128)。

   Function name:
     HASH
   Input:
     K, string of KEYLEN bits                      // Key
     A, string of any length                       // Associated data
   Output:
     Sum, string of 128 bits                       // Hash result
        
   Function name:
     HASH
   Input:
     K, string of KEYLEN bits                      // Key
     A, string of any length                       // Associated data
   Output:
     Sum, string of 128 bits                       // Hash result
        

Sum is defined as follows.

总和的定义如下。

     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Consider A as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(A)
     Let A_1, A_2, ..., A_m and A_* be strings so that
       A == A_1 || A_2 || ... || A_m || A_*, and
       bitlen(A_i) == 128 for each 1 <= i <= m.
       Note: A_* may possibly be the empty string.
        
     //
     // Consider A as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(A)
     Let A_1, A_2, ..., A_m and A_* be strings so that
       A == A_1 || A_2 || ... || A_m || A_*, and
       bitlen(A_i) == 128 for each 1 <= i <= m.
       Note: A_* may possibly be the empty string.
        
     //
     // Process any whole blocks
     //
     Sum_0 = zeros(128)
     Offset_0 = zeros(128)
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i)
     end for
        
     //
     // Process any whole blocks
     //
     Sum_0 = zeros(128)
     Offset_0 = zeros(128)
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i)
     end for
        
     //
     // Process any final partial block; compute final hash value
     //
     if bitlen(A_*) > 0 then
        Offset_* = Offset_m xor L_*
        CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_*
        Sum = Sum_m xor ENCIPHER(K, CipherInput)
     else
        Sum = Sum_m
     end if
        
     //
     // Process any final partial block; compute final hash value
     //
     if bitlen(A_*) > 0 then
        Offset_* = Offset_m xor L_*
        CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_*
        Sum = Sum_m xor ENCIPHER(K, CipherInput)
     else
        Sum = Sum_m
     end if
        
4.2. Encryption: OCB-ENCRYPT
4.2. 加密:OCB-ENCRYPT

This function computes a ciphertext (which includes a bundled authentication tag) when given a plaintext, associated data, nonce, and key. For each invocation of OCB-ENCRYPT using the same key K, the value of the nonce input N must be distinct.

当给定明文、关联数据、nonce和密钥时,此函数计算密文(包括捆绑的身份验证标记)。对于使用相同密钥K的每次OCB-ENCRYPT调用,nonce输入N的值必须是不同的。

   Function name:
     OCB-ENCRYPT
   Input:
     K, string of KEYLEN bits                      // Key
     N, string of no more than 120 bits            // Nonce
     A, string of any length                       // Associated data
     P, string of any length                       // Plaintext
   Output:
     C, string of length bitlen(P) + TAGLEN bits   // Ciphertext
        
   Function name:
     OCB-ENCRYPT
   Input:
     K, string of KEYLEN bits                      // Key
     N, string of no more than 120 bits            // Nonce
     A, string of any length                       // Associated data
     P, string of any length                       // Plaintext
   Output:
     C, string of length bitlen(P) + TAGLEN bits   // Ciphertext
        

C is defined as follows.

C的定义如下。

     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Consider P as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(P)
     Let P_1, P_2, ..., P_m and P_* be strings so that
       P == P_1 || P_2 || ... || P_m || P_*, and
       bitlen(P_i) == 128 for each 1 <= i <= m.
       Note: P_* may possibly be the empty string.
        
     //
     // Consider P as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(P)
     Let P_1, P_2, ..., P_m and P_* be strings so that
       P == P_1 || P_2 || ... || P_m || P_*, and
       bitlen(P_i) == 128 for each 1 <= i <= m.
       Note: P_* may possibly be the empty string.
        
     //
     // Nonce-dependent and per-encryption variables
     //
     Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
     bottom = str2num(Nonce[123..128])
     Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
     Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
     Offset_0 = Stretch[1+bottom..128+bottom]
     Checksum_0 = zeros(128)
        
     //
     // Nonce-dependent and per-encryption variables
     //
     Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
     bottom = str2num(Nonce[123..128])
     Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
     Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
     Offset_0 = Stretch[1+bottom..128+bottom]
     Checksum_0 = zeros(128)
        
     //
     // Process any whole blocks
     //
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i)
        Checksum_i = Checksum_{i-1} xor P_i
     end for
        
     //
     // Process any whole blocks
     //
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i)
        Checksum_i = Checksum_{i-1} xor P_i
     end for
        
     //
     // Process any final partial block and compute raw tag
     //
     if bitlen(P_*) > 0 then
        Offset_* = Offset_m xor L_*
        Pad = ENCIPHER(K, Offset_*)
        C_* = P_* xor Pad[1..bitlen(P_*)]
        Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
        Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
     else
        C_* = <empty string>
        Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A)
     end if
        
     //
     // Process any final partial block and compute raw tag
     //
     if bitlen(P_*) > 0 then
        Offset_* = Offset_m xor L_*
        Pad = ENCIPHER(K, Offset_*)
        C_* = P_* xor Pad[1..bitlen(P_*)]
        Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
        Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
     else
        C_* = <empty string>
        Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A)
     end if
        
     //
     // Assemble ciphertext
     //
     C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]
        
     //
     // Assemble ciphertext
     //
     C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]
        
4.3. Decryption: OCB-DECRYPT
4.3. 解密:OCB-DECRYPT

This function computes a plaintext when given a ciphertext, associated data, nonce, and key. An authentication tag is embedded in the ciphertext. If the tag is not correct for the ciphertext, associated data, nonce, and key, then an INVALID signal is produced.

当给定密文、相关数据、nonce和密钥时,此函数计算明文。认证标签嵌入在密文中。如果密文、相关数据、nonce和key的标记不正确,则产生无效信号。

   Function name:
     OCB-DECRYPT
   Input:
     K, string of KEYLEN bits                      // Key
     N, string of no more than 120 bits            // Nonce
     A, string of any length                       // Associated data
     C, string of at least TAGLEN bits             // Ciphertext
   Output:
     P, string of length bitlen(C) - TAGLEN bits,  // Plaintext
          or INVALID indicating authentication failure
        
   Function name:
     OCB-DECRYPT
   Input:
     K, string of KEYLEN bits                      // Key
     N, string of no more than 120 bits            // Nonce
     A, string of any length                       // Associated data
     C, string of at least TAGLEN bits             // Ciphertext
   Output:
     P, string of length bitlen(C) - TAGLEN bits,  // Plaintext
          or INVALID indicating authentication failure
        

P is defined as follows.

P的定义如下。

     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Key-dependent variables
     //
     L_* = ENCIPHER(K, zeros(128))
     L_$ = double(L_*)
     L_0 = double(L_$)
     L_i = double(L_{i-1}) for every integer i > 0
        
     //
     // Consider C as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(C) - TAGLEN
     Let C_1, C_2, ..., C_m, C_* and T be strings so that
       C == C_1 || C_2 || ... || C_m || C_* || T,
       bitlen(C_i) == 128 for each 1 <= i <= m, and
       bitlen(T) == TAGLEN.
       Note: C_* may possibly be the empty string.
        
     //
     // Consider C as a sequence of 128-bit blocks
     //
     Let m be the largest integer so that 128m <= bitlen(C) - TAGLEN
     Let C_1, C_2, ..., C_m, C_* and T be strings so that
       C == C_1 || C_2 || ... || C_m || C_* || T,
       bitlen(C_i) == 128 for each 1 <= i <= m, and
       bitlen(T) == TAGLEN.
       Note: C_* may possibly be the empty string.
        
     //
     // Nonce-dependent and per-decryption variables
     //
     Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
     bottom = str2num(Nonce[123..128])
     Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
     Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
     Offset_0 = Stretch[1+bottom..128+bottom]
     Checksum_0 = zeros(128)
        
     //
     // Nonce-dependent and per-decryption variables
     //
     Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
     bottom = str2num(Nonce[123..128])
     Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
     Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
     Offset_0 = Stretch[1+bottom..128+bottom]
     Checksum_0 = zeros(128)
        
     //
     // Process any whole blocks
     //
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i)
        Checksum_i = Checksum_{i-1} xor P_i
     end for
        
     //
     // Process any whole blocks
     //
     for each 1 <= i <= m
        Offset_i = Offset_{i-1} xor L_{ntz(i)}
        P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i)
        Checksum_i = Checksum_{i-1} xor P_i
     end for
        
     //
     // Process any final partial block and compute raw tag
     //
     if bitlen(C_*) > 0 then
        Offset_* = Offset_m xor L_*
        Pad = ENCIPHER(K, Offset_*)
        P_* = C_* xor Pad[1..bitlen(C_*)]
        Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
        Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
        
     //
     // Process any final partial block and compute raw tag
     //
     if bitlen(C_*) > 0 then
        Offset_* = Offset_m xor L_*
        Pad = ENCIPHER(K, Offset_*)
        P_* = C_* xor Pad[1..bitlen(C_*)]
        Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
        Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
        
     else
        P_* = <empty string>
        Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A)
     end if
        
     else
        P_* = <empty string>
        Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A)
     end if
        
     //
     // Check for validity and assemble plaintext
     //
     if (Tag[1..TAGLEN] == T) then
        P = P_1 || P_2 || ... || P_m || P_*
     else
        P = INVALID
     end if
        
     //
     // Check for validity and assemble plaintext
     //
     if (Tag[1..TAGLEN] == T) then
        P = P_1 || P_2 || ... || P_m || P_*
     else
        P = INVALID
     end if
        
5. Security Considerations
5. 安全考虑

OCB achieves two security properties, confidentiality and authenticity. Confidentiality is defined via "indistinguishability from random bits", meaning that an adversary is unable to distinguish OCB outputs from an equal number of random bits. Authenticity is defined via "authenticity of ciphertexts", meaning that an adversary is unable to produce any valid nonce-ciphertext pair that it has not already acquired. The security guarantees depend on the underlying blockcipher being secure in the sense of a strong pseudorandom permutation. Thus, if OCB is used with a blockcipher that is not secure as a strong pseudorandom permutation, the security guarantees vanish. The need for the strong pseudorandom permutation property means that OCB should be used with a conservatively designed, well-trusted blockcipher, such as AES.

OCB实现了两个安全属性:机密性和真实性。保密性是通过“与随机比特的不可区分性”来定义的,这意味着对手无法区分OCB输出和相同数量的随机比特。真实性是通过“密文的真实性”来定义的,这意味着对手无法产生任何其尚未获得的有效的非电子密文对。安全保证取决于底层分组密码在强伪随机置换意义下的安全性。因此,如果OCB与作为强伪随机置换不安全的分组密码一起使用,则安全保证消失。对强伪随机置换特性的需要意味着OCB应该与保守设计、可靠的分组密码(如AES)一起使用。

Both the confidentiality and the authenticity properties of OCB degrade as per s^2 / 2^128, where s is the total number of blocks that the adversary acquires. The consequence of this formula is that the proven security disappears when s becomes as large as 2^64. Thus, the user should never use a key to generate an amount of ciphertext that is near to, or exceeds, 2^64 blocks. In order to ensure that s^2 / 2^128 remains small, a given key should be used to encrypt at most 2^48 blocks (2^55 bits or 4 petabytes), including the associated data. To ensure these limits are not crossed, automated key management is recommended in systems exchanging large amounts of data [RFC4107].

OCB的机密性和真实性属性都会根据s^2/2^128降级,其中s是对手获取的块总数。此公式的结果是,当s变大到2^64时,已验证的安全性将消失。因此,用户不应使用密钥生成接近或超过2^64个块的密文量。为了确保s^2/2^128保持较小,应使用给定密钥加密最多2^48个块(2^55位或4 PB),包括相关数据。为确保不超过这些限制,建议在交换大量数据的系统中进行自动密钥管理[RFC4107]。

When a ciphertext decrypts as INVALID, it is the implementor's responsibility to make sure that no information beyond this fact is made adversarially available.

当密文解密为无效时,实现者有责任确保除此之外的任何信息都不会被恶意提供。

OCB encryption and decryption produce an internal 128-bit authentication tag. The parameter TAGLEN determines how many bits of

OCB加密和解密产生一个内部128位身份验证标签。参数TAGLEN决定了数据的位数

this internal tag are included in ciphertexts and used for authentication. The value of TAGLEN has two impacts: an adversary can trivially forge with probability 2^{-TAGLEN}, and ciphertexts are TAGLEN bits longer than their corresponding plaintexts. It is up to the application designer to choose an appropriate value for TAGLEN. Long tags cost no more computationally than short ones.

此内部标记包含在密文中并用于身份验证。TAGLEN的价值有两个影响:对手可以以2^{-TAGLEN}的概率轻易伪造,密文是比其相应明文长的TAGLEN位。由应用程序设计者为TAGLEN选择适当的值。长标签的计算成本并不比短标签高。

Normally, a given key should be used to create ciphertexts with a single tag length, TAGLEN, and an application should reject any ciphertext that claims authenticity under the same key but a different tag length. While the ciphertext core and all of the bits of the tag do depend on the tag length, this is done for added robustness to misuse and should not suggest that receivers accept ciphertexts employing variable tag lengths under a single key.

通常,应使用给定的密钥创建具有单个标记长度TAGLEN的密文,并且应用程序应拒绝在相同密钥但不同标记长度下声明真实性的任何密文。虽然密文核心和标签的所有位确实取决于标签长度,但这样做是为了增加对误用的鲁棒性,并且不应建议接收者接受在单个密钥下使用可变标签长度的密文。

Timing attacks are not a part of the formal security model and an implementation should take care to mitigate them in contexts where this is a concern. To render timing attacks impotent, the amount of time to encrypt or decrypt a string should be independent of the key and the contents of the string. The only explicitly conditional OCB operation that depends on private data is double(), which means that using constant-time blockcipher and double() implementations eliminates most (if not all) sources of timing attacks on OCB. Power-usage attacks are likewise out of the scope of the formal model and should be considered for environments where they are threatening.

定时攻击不是正式安全模型的一部分,在需要考虑定时攻击的情况下,实现应注意缓解定时攻击。要使定时攻击无效,加密或解密字符串的时间量应与密钥和字符串内容无关。唯一依赖于私有数据的显式条件OCB操作是double(),这意味着使用常量时间块密码和double()实现可以消除对OCB的大部分(如果不是全部)定时攻击源。同样,用电攻击也超出了正式模型的范围,应该考虑在它们具有威胁的环境中使用。

The OCB encryption scheme reveals in the ciphertext the length of the plaintext. Sometimes the length of the plaintext is a valuable piece of information that should be hidden. For environments where "traffic analysis" is a concern, techniques beyond OCB encryption (typically involving padding) would be necessary.

OCB加密方案在密文中显示明文的长度。有时,明文的长度是一条有价值的信息,应该隐藏起来。对于关注“流量分析”的环境,OCB加密以外的技术(通常涉及填充)是必要的。

Defining the ciphertext that results from OCB-ENCRYPT to be the pair (C_1 || C_2 || ... || C_m || C_*, Tag[1..TAGLEN]) instead of the concatenation C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN] introduces no security concerns. Because TAGLEN is fixed, both versions allow ciphertexts to be parsed unambiguously.

将OCB-ENCRYPT生成的密文定义为一对(C|u 1 | C|u 2 | | | | | C| m | | | C | | m | | C | | | |标记[1..TAGLEN]),而不是串联C|C|m | C|*| Tag[1..TAGLEN]没有引入任何安全问题。因为TAGLEN是固定的,所以两个版本都允许对密文进行明确的解析。

5.1. Nonce Requirements
5.1. 临时要求

It is crucial that, as one encrypts, one does not repeat a nonce. The inadvertent reuse of the same nonce by two invocations of the OCB encryption operation, with the same key, but with distinct plaintext values, undermines the confidentiality of the plaintexts protected in those two invocations and undermines all of the authenticity and integrity protection provided by that key. For this reason, OCB should only be used whenever nonce uniqueness can be provided with certainty. Note that it is acceptable to input the same nonce value

重要的是,在加密时,不要重复一次。OCB加密操作的两次调用(使用相同的密钥,但具有不同的明文值)无意中重用相同的nonce会破坏在这两次调用中保护的明文的机密性,并破坏该密钥提供的所有真实性和完整性保护。因此,OCB只应在能够确定提供nonce唯一性的情况下使用。请注意,可以输入相同的nonce值

multiple times to the decryption operation. We emphasize that the security consequences are quite serious if an attacker observes two ciphertexts that were created using the same nonce and key values, unless the plaintext and associated data values in both invocations of the encrypt operation were identical. First, a loss of confidentiality ensues because the attacker will be able to infer relationships between the two plaintext values. Second, a loss of authenticity ensues because the attacker will be able to recover secret information used to provide authenticity, making subsequent forgeries trivial. Note that there are AEAD schemes, particularly the Synthetic Initialization Vector (SIV) [RFC5297], appropriate for environments where nonces are unavailable or unreliable. OCB is not such a scheme.

多次执行解密操作。我们强调,如果攻击者观察到使用相同的nonce和key值创建的两个密文,则安全后果相当严重,除非加密操作的两次调用中的明文和相关数据值相同。首先,由于攻击者能够推断两个明文值之间的关系,因此会导致机密性丢失。其次,由于攻击者能够恢复用于提供真实性的秘密信息,从而使后续伪造变得微不足道,因此真实性随之丧失。请注意,有AEAD方案,特别是合成初始化向量(SIV)[RFC5297],适用于nonce不可用或不可靠的环境。OCB不是这样一个计划。

Nonces need not be secret, and a counter may be used for them. If two parties send OCB-encrypted plaintexts to one another using the same key, then the space of nonces used by the two parties must be partitioned so that no nonce that could be used by one party to encrypt could be used by the other to encrypt (e.g., odd and even counters).

nonce不需要保密,可以使用计数器。如果双方使用相同的密钥向另一方发送OCB加密的明文,则双方使用的nonce空间必须进行分区,以便一方可以用来加密的nonce不能被另一方用来加密(例如奇偶计数器)。

6. IANA Considerations
6. IANA考虑

The Internet Assigned Numbers Authority (IANA) has defined a registry for Authenticated Encryption with Associated Data parameters. The IANA has added the following entries to the AEAD Registry. Each name refers to a set of parameters defined in Section 3.1.

互联网分配号码管理局(IANA)定义了一个注册表,用于使用相关数据参数进行身份验证加密。IANA已将以下条目添加到AEAD注册表中。每个名称均指第3.1节中定义的一组参数。

         +----------------------------+-------------+------------+
         | Name                       |  Reference  | Numeric ID |
         +----------------------------+-------------+------------+
         | AEAD_AES_128_OCB_TAGLEN128 | Section 3.1 |     20     |
         | AEAD_AES_128_OCB_TAGLEN96  | Section 3.1 |     21     |
         | AEAD_AES_128_OCB_TAGLEN64  | Section 3.1 |     22     |
         | AEAD_AES_192_OCB_TAGLEN128 | Section 3.1 |     23     |
         | AEAD_AES_192_OCB_TAGLEN96  | Section 3.1 |     24     |
         | AEAD_AES_192_OCB_TAGLEN64  | Section 3.1 |     25     |
         | AEAD_AES_256_OCB_TAGLEN128 | Section 3.1 |     26     |
         | AEAD_AES_256_OCB_TAGLEN96  | Section 3.1 |     27     |
         | AEAD_AES_256_OCB_TAGLEN64  | Section 3.1 |     28     |
         +----------------------------+-------------+------------+
        
         +----------------------------+-------------+------------+
         | Name                       |  Reference  | Numeric ID |
         +----------------------------+-------------+------------+
         | AEAD_AES_128_OCB_TAGLEN128 | Section 3.1 |     20     |
         | AEAD_AES_128_OCB_TAGLEN96  | Section 3.1 |     21     |
         | AEAD_AES_128_OCB_TAGLEN64  | Section 3.1 |     22     |
         | AEAD_AES_192_OCB_TAGLEN128 | Section 3.1 |     23     |
         | AEAD_AES_192_OCB_TAGLEN96  | Section 3.1 |     24     |
         | AEAD_AES_192_OCB_TAGLEN64  | Section 3.1 |     25     |
         | AEAD_AES_256_OCB_TAGLEN128 | Section 3.1 |     26     |
         | AEAD_AES_256_OCB_TAGLEN96  | Section 3.1 |     27     |
         | AEAD_AES_256_OCB_TAGLEN64  | Section 3.1 |     28     |
         +----------------------------+-------------+------------+
        
7. Acknowledgements
7. 致谢

The design of the original OCB scheme [OCB1] was done while Rogaway was at Chiang Mai University, Thailand. Follow-up work [OCB2] was done with support of NSF grant 0208842 and a gift from Cisco. The final work by Krovetz and Rogaway [OCB3] that has resulted in this

最初的OCB方案[OCB1]的设计是在Rogaway在泰国清迈大学时完成的。后续工作[OCB2]是在NSF赠款0208842的支持和思科的捐赠下完成的。Krovetz和Rogaway[OCB3]的最后一项工作导致了这一点

specification was supported by NSF grant 0904380. Thanks go to the many members of the Crypto Forum Research Group (CFRG) who provided feedback on earlier drafts. Thanks in particular go to David McGrew for contributing some text and for managing the RFC approval process, to James Manger for initiating a productive discussion on tag-length dependency and for greatly improving Appendix A, to Matt Caswell and Peter Dettman for writing implementations and verifying test vectors, and to Stephen Farrell and Spencer Dawkins for their careful reading and suggestions.

该规范得到了NSF拨款0904380的支持。感谢加密论坛研究小组(CFRG)的许多成员,他们对早期草案提供了反馈。特别感谢David McGrew提供了一些文本并管理了RFC批准流程,感谢James Manger发起了关于标签长度依赖性的富有成效的讨论并大大改进了附录a,感谢Matt Caswell和Peter Dettman编写了实现并验证了测试向量,感谢斯蒂芬·法雷尔和斯宾塞·道金斯的仔细阅读和建议。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[AES] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001.

[AES]国家标准与技术研究所,“高级加密标准(AES)”,FIPS PUB 197,2001年11月。

[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008.

[RFC5116]McGrew,D.“认证加密的接口和算法”,RFC 5116,2008年1月。

8.2. Informative References
8.2. 资料性引用

[OCB1] Rogaway, P., Bellare, M., Black, J., and T. Krovetz, "OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption", ACM Conference on Computer and Communications Security 2001 - CCS 2001, ACM Press, 2001.

[OCB1]Rogaway,P.,Bellare,M.,Black,J.,和T.Krovetz,“OCB:一种用于有效认证加密的分组密码操作模式”,ACM计算机与通信安全会议2001-CCS 2001,ACM出版社,2001年。

[OCB2] Rogaway, P., "Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC", Advances in Cryptology - ASIACRYPT 2004, Springer, 2004.

[OCB2]Rogaway,P.,“可调整块密码的有效实例化和对OCB和PMAC模式的改进”,密码学进展-ASIACRYPT 2004,Springer,2004。

[OCB3] Krovetz, T. and P. Rogaway, "The Software Performance of Authenticated-Encryption Modes", Fast Software Encryption - FSE 2011 Springer, 2011.

[OCB3]Krovetz,T.和P.Rogaway,“认证加密模式的软件性能”,快速软件加密-FSE 2011,Springer,2011。

[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key Management", BCP 107, RFC 4107, June 2005.

[RFC4107]Bellovin,S.和R.Housley,“加密密钥管理指南”,BCP 107,RFC 4107,2005年6月。

[RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)", RFC 5297, October 2008.

[RFC5297]Harkins,D.“使用高级加密标准(AES)的合成初始化向量(SIV)认证加密”,RFC 5297,2008年10月。

Appendix A. Sample Results
附录A.样本结果

This section gives sample output values for various inputs when using OCB with AES as per the parameters defined in Section 3.1. All strings are represented in hexadecimal (e.g., 0F represents the bitstring 00001111).

本节给出了根据第3.1节中定义的参数将OCB与AES一起使用时各种输入的样本输出值。所有字符串均以十六进制表示(例如,0F表示位字符串00001111)。

The following 16 (N,A,P,C) tuples show the ciphertext C that results from OCB-ENCRYPT(K,N,A,P) for various lengths of associated data (A) and plaintext (P). The key (K) has a fixed value, the tag length is 128 bits, and the nonce (N) increments.

以下16个(N,A,P,C)元组显示了OCB-ENCRYPT(K,N,A,P)为不同长度的关联数据(A)和明文(P)生成的密文C。键(K)具有固定值,标记长度为128位,且nonce(N)递增。

     K : 000102030405060708090A0B0C0D0E0F
        
     K : 000102030405060708090A0B0C0D0E0F
        

An empty entry indicates the empty string.

空条目表示空字符串。

     N: BBAA99887766554433221100
     A:
     P:
     C: 785407BFFFC8AD9EDCC5520AC9111EE6
        
     N: BBAA99887766554433221100
     A:
     P:
     C: 785407BFFFC8AD9EDCC5520AC9111EE6
        
     N: BBAA99887766554433221101
     A: 0001020304050607
     P: 0001020304050607
     C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009
        
     N: BBAA99887766554433221101
     A: 0001020304050607
     P: 0001020304050607
     C: 6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009
        
     N: BBAA99887766554433221102
     A: 0001020304050607
     P:
     C: 81017F8203F081277152FADE694A0A00
        
     N: BBAA99887766554433221102
     A: 0001020304050607
     P:
     C: 81017F8203F081277152FADE694A0A00
        
     N: BBAA99887766554433221103
     A:
     P: 0001020304050607
     C: 45DD69F8F5AAE72414054CD1F35D82760B2CD00D2F99BFA9
        
     N: BBAA99887766554433221103
     A:
     P: 0001020304050607
     C: 45DD69F8F5AAE72414054CD1F35D82760B2CD00D2F99BFA9
        

N: BBAA99887766554433221104 A: 000102030405060708090A0B0C0D0E0F P: 000102030405060708090A0B0C0D0E0F C: 571D535B60B277188BE5147170A9A22C3AD7A4FF3835B8C5 701C1CCEC8FC3358

编号:BBAA99887766554433221104 A:000102030405060708090A0B0C0D0E0F P:000102030405060708090A0C0D0E0F C:571D535B60B277188BE5147170A9A22C3AD7A4FF3835B8C5701C1CCEC8FC3358

     N: BBAA99887766554433221105
     A: 000102030405060708090A0B0C0D0E0F
     P:
     C: 8CF761B6902EF764462AD86498CA6B97
        
     N: BBAA99887766554433221105
     A: 000102030405060708090A0B0C0D0E0F
     P:
     C: 8CF761B6902EF764462AD86498CA6B97
        

N: BBAA99887766554433221106 A: P: 000102030405060708090A0B0C0D0E0F C: 5CE88EC2E0692706A915C00AEB8B2396F40E1C743F52436B DF06D8FA1ECA343D

编号:BBAA99887766554433221106 A:P:000102030405060708090A0B0C0D0E0F C:5CE88EC2E092706A915C000AEB8B2396F40E1C743F52436B DF06D8FA1ECA343D

     N: BBAA99887766554433221107
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
     C: 1CA2207308C87C010756104D8840CE1952F09673A448A122
        C92C62241051F57356D7F3C90BB0E07F
        
     N: BBAA99887766554433221107
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
     C: 1CA2207308C87C010756104D8840CE1952F09673A448A122
        C92C62241051F57356D7F3C90BB0E07F
        
     N: BBAA99887766554433221108
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
     P:
     C: 6DC225A071FC1B9F7C69F93B0F1E10DE
        
     N: BBAA99887766554433221108
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
     P:
     C: 6DC225A071FC1B9F7C69F93B0F1E10DE
        
     N: BBAA99887766554433221109
     A:
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
     C: 221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3C
        E725F32494B9F914D85C0B1EB38357FF
        
     N: BBAA99887766554433221109
     A:
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
     C: 221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3C
        E725F32494B9F914D85C0B1EB38357FF
        
     N: BBAA9988776655443322110A
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     C: BD6F6C496201C69296C11EFD138A467ABD3C707924B964DE
        AFFC40319AF5A48540FBBA186C5553C68AD9F592A79A4240
        
     N: BBAA9988776655443322110A
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     C: BD6F6C496201C69296C11EFD138A467ABD3C707924B964DE
        AFFC40319AF5A48540FBBA186C5553C68AD9F592A79A4240
        
     N: BBAA9988776655443322110B
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     P:
     C: FE80690BEE8A485D11F32965BC9D2A32
        
     N: BBAA9988776655443322110B
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     P:
     C: FE80690BEE8A485D11F32965BC9D2A32
        
     N: BBAA9988776655443322110C
     A:
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     C: 2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF4
        6040C53F1432BCDFB5E1DDE3BC18A5F840B52E653444D5DF
        
     N: BBAA9988776655443322110C
     A:
     P: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F
     C: 2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF4
        6040C53F1432BCDFB5E1DDE3BC18A5F840B52E653444D5DF
        

N: BBAA9988776655443322110D A: 000102030405060708090A0B0C0D0E0F1011121314151617 18191A1B1C1D1E1F2021222324252627 P: 000102030405060708090A0B0C0D0E0F1011121314151617 18191A1B1C1D1E1F2021222324252627 C: D5CA91748410C1751FF8A2F618255B68A0A12E093FF45460 6E59F9C1D0DDC54B65E8628E568BAD7AED07BA06A4A69483 A7035490C5769E60

编号:BBAA9988776655443322110D A:000102030405060708090A0B0C0D0E0F10111121314151617 18191A1B1C1D1E1F202122252627 P:000102030405060708090A0C0D0E00111121314151617 18191A1B1C1D1E1F202122252627 C:D5CA91748410C1751FFA2F618255B68A02E0093FF45460 6E59F9C1D00809090A0B0B0B0C0C0C0C0C0C0C0C0C0D0011121311617 18191A1B1B1B1C174C125627 C:D5CA9174747410C1751F8A2F618255B45460

     N: BBAA9988776655443322110E
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F2021222324252627
     P:
     C: C5CD9D1850C141E358649994EE701B68
        
     N: BBAA9988776655443322110E
     A: 000102030405060708090A0B0C0D0E0F1011121314151617
        18191A1B1C1D1E1F2021222324252627
     P:
     C: C5CD9D1850C141E358649994EE701B68
        

N: BBAA9988776655443322110F A: P: 000102030405060708090A0B0C0D0E0F1011121314151617 18191A1B1C1D1E1F2021222324252627 C: 4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15 A5DDBFC5787E50B5CC55EE507BCB084E479AD363AC366B95 A98CA5F3000B1479

编号:BBAA9988776655443322110F A:P:000102030405060708090A0B0C0D0E0F10111121314151617 18191A1B1C1D1E1F2021222324252627 C:4412923493C57D5DE0D700F753CE0D1D2D95060122E5B5DDBFC5787E50B5CC55EE507BCB084E479AD363AC366B95 A98CA5F3000B1479

Next are several internal values generated during the OCB-ENCRYPT computation for the last test vector listed above.

接下来是在OCB-ENCRYPT计算过程中为上面列出的最后一个测试向量生成的几个内部值。

     L_*       : C6A13B37878F5B826F4F8162A1C8D879
     L_$       : 8D42766F0F1EB704DE9F02C54391B075
     L_0       : 1A84ECDE1E3D6E09BD3E058A8723606D
     L_1       : 3509D9BC3C7ADC137A7C0B150E46C0DA
     bottom    : 15 (decimal)
     Ktop      : 9862B0FDEE4E2DD56DBA6433F0125AA2
     Stretch   : 9862B0FDEE4E2DD56DBA6433F0125AA2FAD24D13A063F8B8
     Offset_0  : 587EF72716EAB6DD3219F8092D517D69
     Offset_1  : 42FA1BF908D7D8D48F27FD83AA721D04
     Offset_2  : 77F3C24534AD04C7F55BF696A434DDDE
     Offset_*  : B152F972B3225F459A1477F405FC05A7
     Checksum_1: 000102030405060708090A0B0C0D0E0F
     Checksum_2: 10101010101010101010101010101010
     Checksum_*: 30313233343536379010101010101010
        
     L_*       : C6A13B37878F5B826F4F8162A1C8D879
     L_$       : 8D42766F0F1EB704DE9F02C54391B075
     L_0       : 1A84ECDE1E3D6E09BD3E058A8723606D
     L_1       : 3509D9BC3C7ADC137A7C0B150E46C0DA
     bottom    : 15 (decimal)
     Ktop      : 9862B0FDEE4E2DD56DBA6433F0125AA2
     Stretch   : 9862B0FDEE4E2DD56DBA6433F0125AA2FAD24D13A063F8B8
     Offset_0  : 587EF72716EAB6DD3219F8092D517D69
     Offset_1  : 42FA1BF908D7D8D48F27FD83AA721D04
     Offset_2  : 77F3C24534AD04C7F55BF696A434DDDE
     Offset_*  : B152F972B3225F459A1477F405FC05A7
     Checksum_1: 000102030405060708090A0B0C0D0E0F
     Checksum_2: 10101010101010101010101010101010
     Checksum_*: 30313233343536379010101010101010
        

The next tuple shows a result with a tag length of 96 bits and a different key.

下一个元组显示一个标记长度为96位的结果和一个不同的键。

     K: 0F0E0D0C0B0A09080706050403020100
        
     K: 0F0E0D0C0B0A09080706050403020100
        

N: BBAA9988776655443322110D A: 000102030405060708090A0B0C0D0E0F1011121314151617 18191A1B1C1D1E1F2021222324252627 P: 000102030405060708090A0B0C0D0E0F1011121314151617 18191A1B1C1D1E1F2021222324252627 C: 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1 A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FD AC4F02AA

编号:BBAA9988776655443322110D A:0001020304050608090A0B0C0D0E0F10111121314151617 18191A1B1C1D1E1F202122252627 P:000102030405060708090A0C0D0F1011211314151617 18191A1B1C1D1E1F202122252627 C:1792A4 E31E0755FB031B2116E6C2DDF9EFD6F1 A0124B0A55BAE884ED93481529C76C515F4F4FD ACF02AA

The following algorithm tests a wider variety of inputs. Results are given for each parameter set defined in Section 3.1.

以下算法测试更广泛的输入。给出了第3.1节中定义的每个参数集的结果。

      K = zeros(KEYLEN-8) || num2str(TAGLEN,8)
      C = <empty string>
      for i = 0 to 127 do
         S = zeros(8i)
         N = num2str(3i+1,96)
         C = C || OCB-ENCRYPT(K,N,S,S)
         N = num2str(3i+2,96)
         C = C || OCB-ENCRYPT(K,N,<empty string>,S)
         N = num2str(3i+3,96)
         C = C || OCB-ENCRYPT(K,N,S,<empty string>)
      end for
      N = num2str(385,96)
      Output : OCB-ENCRYPT(K,N,C,<empty string>)
        
      K = zeros(KEYLEN-8) || num2str(TAGLEN,8)
      C = <empty string>
      for i = 0 to 127 do
         S = zeros(8i)
         N = num2str(3i+1,96)
         C = C || OCB-ENCRYPT(K,N,S,S)
         N = num2str(3i+2,96)
         C = C || OCB-ENCRYPT(K,N,<empty string>,S)
         N = num2str(3i+3,96)
         C = C || OCB-ENCRYPT(K,N,S,<empty string>)
      end for
      N = num2str(385,96)
      Output : OCB-ENCRYPT(K,N,C,<empty string>)
        

Iteration i of the loop adds 2i + (3 * TAGLEN / 8) bytes to C, resulting in an ultimate length for C of 22,400 bytes when TAGLEN == 128, 20,864 bytes when TAGLEN == 192, and 19,328 bytes when TAGLEN == 64. The final OCB-ENCRYPT has an empty plaintext component, so serves only to authenticate C. The output should be:

循环的迭代i将2i+(3*TAGLEN/8)字节添加到C,当TAGLEN==128时,C的最终长度为22400字节,当TAGLEN==192时,为20864字节,当TAGLEN==64时,为19328字节。最终的OCB-ENCRYPT有一个空的明文组件,因此仅用于验证C。输出应为:

AEAD_AES_128_OCB_TAGLEN128 Output: 67E944D23256C5E0B6C61FA22FDF1EA2 AEAD_AES_192_OCB_TAGLEN128 Output: F673F2C3E7174AAE7BAE986CA9F29E17 AEAD_AES_256_OCB_TAGLEN128 Output: D90EB8E9C977C88B79DD793D7FFA161C AEAD_AES_128_OCB_TAGLEN96 Output : 77A3D8E73589158D25D01209 AEAD_AES_192_OCB_TAGLEN96 Output : 05D56EAD2752C86BE6932C5E AEAD_AES_256_OCB_TAGLEN96 Output : 5458359AC23B0CBA9E6330DD AEAD_AES_128_OCB_TAGLEN64 Output : 192C9B7BD90BA06A AEAD_AES_192_OCB_TAGLEN64 Output : 0066BC6E0EF34E24 AEAD_AES_256_OCB_TAGLEN64 Output : 7D4EA5D445501CBE

埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃埃B_TAGLEN96输出:5458359AC23B0CBA9E6330DD AEAD_AES_128_OCB_标记64输出:192C9B7BD90BA06A AEAD_AES_192_OCB_标记64输出:0066BC6E0EF34E24 AEAD_AES_256_OCB_标记64输出:7D4EA5D445501CBE

Authors' Addresses

作者地址

Ted Krovetz Computer Science Department California State University, Sacramento 6000 J Street Sacramento, CA 95819-6021 USA

美国加利福尼亚州萨克拉门托市萨克拉门托J街6000号,加利福尼亚州立大学计算机科学系,邮编95819-6021

   EMail: ted@krovetz.net
        
   EMail: ted@krovetz.net
        

Phillip Rogaway Computer Science Department University of California, Davis One Shields Avenue Davis, CA 95616-8562 USA

菲利浦RoWaWe计算机科学系加利福尼亚大学,戴维斯一盾牌大道戴维斯,CA 95616-8562美国

   EMail: rogaway@cs.ucdavis.edu
        
   EMail: rogaway@cs.ucdavis.edu