Tony,
You are correct. An Indistinguishability bound promises you no attacks will be below the bound assuming the claimed property(ies) of the underline function in the construction (mode) hold(s). A distinguishing attack below the bound tells you that the construction or the underlined function is not strong or ideal as you would like, but it does not directly (100%) lead to a break of plaintext confidentiality or authenticity. Here, confidentiality protection of plaintext(s) is that an attacker who does not know the key can not find out any part of the plaintext(s) by decryption. And, I explained the point in the previous emails. Under indistinguishability framework, one should not even go to 2^32 blocks with GCM when the IV space is 2^64 because there is a high probability of ciphertext collision with 2^32 ciphertexts. Quynh. ________________________________ From: Tony Arcieri <basc...@gmail.com> Sent: Friday, November 6, 2015 7:59 PM To: Watson Ladd Cc: Dang, Quynh; tls@ietf.org Subject: Re: [TLS] Data limit for GCM under a given key. On Friday, November 6, 2015, Watson Ladd <watsonbl...@gmail.com<mailto:watsonbl...@gmail.com>> wrote: On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh <quynh.d...@nist.gov> wrote: > I did not talk under indistinguishability framework. My discussion was about > confidentiality protection and authentication. What is the definition of "confidentiality protection" being used here? I too am confused by Quynh's statement. Indistinguishability is the modern bar for confidentiality and authentication. Quynh, are you talking about anything less than IND-CCA2? If you are, that is less than the modern bar I would personally consider acceptable. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
