Hi, As some might remember I've been working on a draft for AES-OCB cipher-suites in TLS (https://datatracker.ietf.org/doc/draft-zauner-tls-aes-ocb/). Where, ideally, OCB would replace CCM [or even GCM, but I don't think that's realistic] in TLS.
Beginning of this summer Rogaway and IBM (Jutla) filed IPR exemptions for this very draft for use of OCB specific to TLS. What was unclear until very recently was if patents by Gligor/Donescu would be relevant to this document. I've been told that these patents aren't relevant because IPR by Rogaway and Jutla pre-dates them by years. In more detail: ``` IBM patents/publications on IAPM/OCB 7,093,126 "Encryption schemes with almost free integrity awareness " filed April 14, 2000. (Fig 10 describes the parallelized scheme. Also described in detail in text of the patent). Eprint ia.cr/2000/039 "Encryption Modes with Almost Free Message Integrity". 1 Aug 2000. (Section 2.1 describes the parallelizable mode IAPM, also see Fig 2 on page 5). 6,963,976 "Symmetric key authenticated encryption schemes " filed November 3, 2000. (Claim 23 says all blocks to be encrypted in parallel). Gligor and Donescu Patents/Publications 6,973,187 "Block encryption method and schemes for data confidentiality and integrity protection " filed Jan 18, 2001. This patent does not describe ciphertext stealing as done in Rogaway's OCB to handle non-standard size messages. Also, it does not describe any ways to generate the whitening sequence as used in OCB (which are not already covered by IBM patents). Virgil D. Gligor, Pompiliu Donescu: Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes. FSE 2001: 92-108 Their earlier paper from 1999 was a broken scheme. (Virgil D. Gligor, Pompiliu Donescu: Integrity-Aware PCBC Encryption Schemes. Security Protocols Workshop 1999: 153-171) ``` Usual reminder here: I'm not a lawyer and neither intimately familiar with US patent law in particular. Hope this gets the discussion started again, as OCB is a very elegant mode which I'd like to see deployed instead of CCM, at least. What's missing currently are implementations. There're primitives available in OpenSSL but code is missing for OCB use with TLS. I probably won't find time to add this code, so if someone is interested, please let me know. Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
