On 2015-12-16 00:48, Eric Rescorla wrote:
On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
<sfluh...@cisco.com <mailto:sfluh...@cisco.com>> wrote:
The quadratic behavior in the security proofs are there for just
about any block cipher mode, and is the reason why you want to stay
well below the birthday bound.
The birthday bound here is 2^{64}, right?
-Ekr
However, that's as true for (say) CBC mode as it is for GCM
Actually, no.
Using the sequence number as part of the effective nonce, means that it
won't collide. There is no relevant bound for collisions in the nonces
or in the CTR state, because they simply won't happen (unless there is
an implementation flaw). There won't be any potentially exploitable
collisions.
However, theoretically, the GHASH state might collide with a 2^{64}
birthday bound. This possibility doesn't seem entirely relevant, though.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
