On Nov 2, 2015 2:14 AM, "Dang, Quynh" <quynh.d...@nist.gov> wrote: > > Hi Eric, > > > As you asked the question about how many ciphertext blocks should be safe under a single key, I think it is safe to have 2^96 blocks under a given key if the IV (counter) is 96 bits.
This is wrong for PRP, right for PRF. It's not that hard to find the right result. > > > When there is a collision between two ciphertext blocks when two different counter values are used , the chance of the same plaintext was used twice is 1^128. Collisions start to happen a lot when the number of ciphertext blocks are above 2^64. However, each collision just reveals that the corresponding plaintext blocks are probably different ones. Which breaks IND-$. Let's not be clever, but stick to ensuring proven definitions are true. > > > > Quynh. > > > _______________________________________________ > Cfrg mailing list > c...@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
