OCB Authenticated Encryption

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

OCB Authenticated Encryption

Ted Krovetz-2
At last month's Workshop on Real-World Cryptography at Stanford University, Phil Rogaway released a new license for OCB, granting free use for all open-source implementations.

  http://www.cs.ucdavis.edu/~rogaway/ocb/license1.pdf

OCB is the fastest authenticated-encryption scheme that I know of, and I encourage OpenSSL to incorporate it. My C implementation achieves a rate of 0.87 CPU cycles per byte processed on Sandy Bridge processors, which is just slightly slower that CTR mode encryption and more than twice as fast as GCM. The difference is even greater on other architectures. On ARM, OCB's authentication overhead (ie, cost beyond CTR encryption) is reported to be 3.5 cpb whereas GCM's is at least 15 cpb (according to OpenSSL's notes in ghash-armv4.pl).

More about OCB, including the C code, timing results, academic papers and a draft RFC, can be found at its website

  http://www.cs.ucdavis.edu/~rogaway/ocb

I'd be happy to help with integration.

Thank you,
Ted Krovetz
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Bodo Moeller
On Tue, Feb 5, 2013 at 9:20 AM, Ted Krovetz <[hidden email]> wrote:
At last month's Workshop on Real-World Cryptography at Stanford University, Phil Rogaway released a new license for OCB, granting free use for all open-source implementations.

  http://www.cs.ucdavis.edu/~rogaway/ocb/license1.pdf

There's a problem with that license, though:

"Open Source Software Implementation does not include any Software Implementation in which the software implicating the Licensed Patents is combined, so as to form a larger program, with software that is not Open Source Software."

This restriction seems OK for GPL'ed libraries (because they have a similar restriction anyway), but not for libraries that are meant to be available for use in programs that are not necessarily open source. Thus, as much as I like OCB, I'd rather keep it out of OpenSSL for now.

Bodo

Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Ted Krovetz-2
There are actually two licenses. The second allows all software (even closed), but only for non-military use.

  http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm

Does that make OCB any more acceptable?

-Ted______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Bodo Moeller
On Tue, Feb 5, 2013 at 1:41 PM, Ted Krovetz <[hidden email]> wrote:
There are actually two licenses. The second allows all software (even closed), but only for non-military use.

  http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm

Thanks.  Is some explanation of the non-military use condition available? This seems to imply you still can't use the software for any public service (that could be used for military purposes), unless the open source license applies.

Note that in any case, given the specifics of the two licenses, the new code would be excluded from default builds (so that those agreeing with the conditions of the license can explicitly enable it) -- we're doing that in other similar cases, to ensure that default builds wouldn't be considered "non-free".

Bodo

Reply | Threaded
Open this post in threaded view
|

RE: OCB Authenticated Encryption

Salz, Rich
In reply to this post by Ted Krovetz-2
> There are actually two licenses. The second allows all software (even closed), but only for non-military use.

I would say that's still a problem.  For example, we could use OpenSSL on our network to provide acceleration for public DoD sites.  Is that military use?  Suppose it's for use on a CIA extranet? Suppose it's for use on an internal FBI network linking field offices to HQ?  To the CIA doing the same thing internationally?  How do I decide?  How does the OpenSSL team set things up so that their (yes, yes, non-paying) customers don't do the wrong thing by default?

If you want to limit the use of your invention, which is entirely your right, it is best to distribute it yourself.

        /r$
--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Steve Marquess-3
On 02/06/2013 09:43 AM, Salz, Rich wrote:
>> There are actually two licenses. The second allows all software (even closed), but only for non-military use.
>
> I would say that's still a problem.  For example, we could use OpenSSL on our network to provide acceleration for public DoD sites.  Is that military use?  Suppose it's for use on a CIA extranet? Suppose it's for use on an internal FBI network linking field offices to HQ?  To the CIA doing the same thing internationally?  How do I decide?  How does the OpenSSL team set things up so that their (yes, yes, non-paying) customers don't do the wrong thing by default?
>
> If you want to limit the use of your invention, which is entirely your right, it is best to distribute it yourself.

+1.

The intent is noble but the practical implications get messy very
quickly. For better or worse OpenSSL is very widely used, for good as
well as evil, and the licensing situation is muddled enough as it is.

Personally I think the existence and unrestricted availability of
OpenSSL benefits the good far more than evil.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Matt Caswell (frodo@baggins.org)
On 6 February 2013 15:04, Steve Marquess <[hidden email]> wrote:

> On 02/06/2013 09:43 AM, Salz, Rich wrote:
>>> There are actually two licenses. The second allows all software (even closed), but only for non-military use.
>>
>> I would say that's still a problem.  For example, we could use OpenSSL on our network to provide acceleration for public DoD sites.  Is that military use?  Suppose it's for use on a CIA extranet? Suppose it's for use on an internal FBI network linking field offices to HQ?  To the CIA doing the same thing internationally?  How do I decide?  How does the OpenSSL team set things up so that their (yes, yes, non-paying) customers don't do the wrong thing by default?
>>
>> If you want to limit the use of your invention, which is entirely your right, it is best to distribute it yourself.
>
> +1.
>
> The intent is noble but the practical implications get messy very
> quickly. For better or worse OpenSSL is very widely used, for good as
> well as evil, and the licensing situation is muddled enough as it is.
>
> Personally I think the existence and unrestricted availability of
> OpenSSL benefits the good far more than evil.
>

There is a third option for licensing of OCB. From Phil Rogaway's website:

"For other contexts, I license OCB under fair, reasonable, and
non-discriminatory terms. Here is an old patent-assurance letter I
wrote for the IEEE promising this. I expect licensees to pay a small,
one-time fee. I intend that no solvent company should find licensing
to be a significant burden."

Would the OpenSSL Foundation ever consider purchasing such a license
(assuming sufficient sponsorship could be found), if the license could
be made compatible with the OpenSSL license?

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Michael Sierchio
Does Phil still teach at UC Davis?  You could always ask him directly
for clarification or a waiver.

- M
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Matt Caswell (frodo@baggins.org)
On 27 March 2013 11:52, Michael Sierchio <[hidden email]> wrote:
> Does Phil still teach at UC Davis?  You could always ask him directly
> for clarification or a waiver.

Hi contact details are on the web page describing the various license
options (and yes its a UC Davis email address). It would be good if
someone from OSF at least had a discussion with him. It would be a
shame not to implement this excellent mode simply for not asking the
right questions!

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Ben Laurie-2
On 27 March 2013 12:04, Matt Caswell <[hidden email]> wrote:
> On 27 March 2013 11:52, Michael Sierchio <[hidden email]> wrote:
>> Does Phil still teach at UC Davis?  You could always ask him directly
>> for clarification or a waiver.
>
> Hi contact details are on the web page describing the various license
> options (and yes its a UC Davis email address). It would be good if
> someone from OSF at least had a discussion with him. It would be a
> shame not to implement this excellent mode simply for not asking the
> right questions!

The OSF is not actually the one that would benefit from such a
licence, so the whole idea that it (or we) should pay for one seems
weird to me.

>
> Matt
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Matt Caswell (frodo@baggins.org)
On 27 March 2013 21:03, Ben Laurie <[hidden email]> wrote:
> The OSF is not actually the one that would benefit from such a
> licence, so the whole idea that it (or we) should pay for one seems
> weird to me.
>
Well, I wasn't actually suggesting that the OSF should pay for it
itself, merely that the OSF could be the conduit for organising the
licensing (in much the same way as it has been the conduit for
organising the FIPS certification). The licensing only impacts US
users of OpenSSL (as I understand it the patents under discussion here
are only applicable within the US), and therefore the benefits would
be largely felt by its customers -although in reality we all benefit
by removing a blocker from integrating a mode into the code base with
some significant advantages (OCB is supposedly significantly faster
than GCM).

If it comes to paying for it then I would hope that it may be possible
to achieve sufficient corporate sponsorship to cover the costs (as I
said in my original email). However, at this stage, all that is
required is for someone to open a discussion with Phil Rogaway to see
what can be achieved (maybe he will grant OpenSSL a waiver without any
money changing hands at all). My suggestion is that that discussion
could be initiated by the OSF (it seems a natural fit to me)...but
really it could be anyone from the core dev team who can claim to
speak for the project.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCB Authenticated Encryption

Steve Marquess-3
On 03/28/2013 10:31 AM, Matt Caswell wrote:

> On 27 March 2013 21:03, Ben Laurie <[hidden email]> wrote:
>> The OSF is not actually the one that would benefit from such a
>> licence, so the whole idea that it (or we) should pay for one seems
>> weird to me.
>>
> Well, I wasn't actually suggesting that the OSF should pay for it
> itself, merely that the OSF could be the conduit for organising the
> licensing (in much the same way as it has been the conduit for
> organising the FIPS certification). The licensing only impacts US
> users of OpenSSL (as I understand it the patents under discussion here
> are only applicable within the US), and therefore the benefits would
> be largely felt by its customers -although in reality we all benefit
> by removing a blocker from integrating a mode into the code base with
> some significant advantages (OCB is supposedly significantly faster
> than GCM).
>
> If it comes to paying for it then I would hope that it may be possible
> to achieve sufficient corporate sponsorship to cover the costs (as I
> said in my original email). However, at this stage, all that is
> required is for someone to open a discussion with Phil Rogaway to see
> what can be achieved (maybe he will grant OpenSSL a waiver without any
> money changing hands at all). My suggestion is that that discussion
> could be initiated by the OSF (it seems a natural fit to me)...but
> really it could be anyone from the core dev team who can claim to
> speak for the project.

I've sent Prof. Rogaway a note on this topic, but from his web site his
intent seems pretty clear. It won't hurt to ask, though.

As Ben noted we're not in a position to fund external costs for a
product we give away for free. We have enough overhead expenses already
for our modest budget. We can and do work with commercial or government
sponsors that fund such expenses, but in this case I suspect money won't
be the deciding factor.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]