Kenny Paterson and I prepared a document providing an overview of how
much data ChaCha20+Poly1305 and AES-GCM can process with a single key.
Besides summarizing the results, the document also gives an explanation
of why the limits are there. The document confirms the analysis done by
Watson and
ion 5, it seems like as \sigma >> q you should
be able
to encrypt rather more submaximal (e.g., 1K) records than maximal size
records.
Finally, and this calls for an opinion: do you believe that given
these results
we should include a KeyUpdate feature in TLS 1.3?
Thanks,
-Ekr
On Tue, Mar 8, 20
