search

strlcat / tfcrypt

tfcrypt -- high security Threefish encryption tool.
Other
10 stars 1 forks source link

Questions: OCB mode, its block size, its security and counter size. #6

Closed phantomcraft closed 2 years ago

phantomcraft commented 2 years ago

I have some questions about Threefish used with OCB mode.

What is its block size? 4096-bytes (128*32) as TF-XTS?

And about its security, does it provide quadratic security? I mean, will it double the bits of security of the encipherment? As I can see a 128-bit chunk is added to the beginning of encrypted file when encrypting with "-c rand" option. If I keep the Threefish key and this data chunk secret, will the security of encryption be increased?

And for counter, what is its size? How many different block can this OCB implementation can encrypt?

And, are this OCB implementation the OCB3? OCB1 and 2 have security issues: https://en.wikipedia.org/wiki/OCB_mode#Attacks

strlcat commented 2 years ago

Block sizes for all "wide" block modes are controlled by xtsblocks variable, which is initialized at https://github.com/electrorys/tfcrypt/blob/5faadb0da4b63d4aa3359cfd97953738ee59a90d/tfc_vars.c#L53. Program initial value for it is 32, hence, wide block size is equal to TF_BLOCK_SIZE * 32. In default setup it will be 128 * 32.

Contrary to XTS, OCB does not use second key. Anyway, you shall never rely on security extensions done by modes, they shall be only done by cipher itself. I would say not OCB nor XTS provide more security rather than cipher allows you to.

Sharing counter data (generated for example by -c rand option) in public shall not be a problem, and in some situations it is recommended. The reason it is not disclosed to public by default is purely technical: this program was written to encrypt static, fixed block media such as disk or flash drive without any additional information prepended to it. You can't post counter somewhere onto it if all data is going to be encrypted anyway.

Default counter size is same as TF_BLOCK_SIZE. With default setup, it will be 128. ctr_inc() primitive operates over TF_NR_BLOCK_UNITS.

This OCB implementation traces back to Mumble OCB-AES128 implementation copied straight by me from uMurmur codebase, which is suspected to be OCB2. Given that the only benefit of OCB is performance when doing MAC, and drawbacks are: code logic increase, hard to audit and implement and restrictive licensing for non-GPL code, keeping it here can cause legal troubles. Hence, I remove it now from Threefish library.

phantomcraft commented 2 years ago

Ok, thanks for the answer.