Re: [TLS] Data volume limits

Tue, 15 Dec 2015 16:47:29 -0800 

> -----Original Message-----
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Henrick Hellström
> Sent: Tuesday, December 15, 2015 7:09 PM
> To: tls@ietf.org
> Subject: Re: [TLS] Data volume limits
> 
> On 2015-12-16 00:48, Eric Rescorla wrote:
> >
> >
> > On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
> > <sfluh...@cisco.com <mailto:sfluh...@cisco.com>> wrote:
> >     The quadratic behavior in the security proofs are there for just
> >     about any block cipher mode, and is the reason why you want to stay
> >     well below the birthday bound.
> >
> >
> > The birthday bound here is 2^{64}, right?
> >
> > -Ekr
> >
> >        However, that's as true for (say) CBC mode as it is for GCM
> 
> Actually, no.
> 
> Using the sequence number as part of the effective nonce, means that it
> won't collide. There is no relevant bound for collisions in the nonces or in 
> the
> CTR state, because they simply won't happen (unless there is an
> implementation flaw). There won't be any potentially exploitable collisions.
> 
> However, theoretically, the GHASH state might collide with a 2^{64} birthday
> bound. This possibility doesn't seem entirely relevant, though.

That is a good point, and deserves to be examined more.

With CBC mode, there's a probability that two different ciphertext blocks will 
happen to be identical; when that unlikely event happens, the attacker can 
determine the bitwise difference between the corresponding plaintext blocks 
(and thereby leak a small amount of plaintext)

This doesn't happen with GCM.  Instead, the distinguisher is of this form: the 
attacker with a potential plaintext can compute the internal CTR values for 
GCM; if he sees a duplicate value, he can deduce that that potential plaintext 
wasn't the real one (because the internal CTR values never repeat).

Assuming that they cannot distinguish AES with a random key from a random 
permutation, that's the only thing they can learn.

That is, when they prove that there is no distinguisher with better than 
2^{-64} advantage, what they are referring to (in practice) is that the 
attacker could eliminate a tiny fraction (1 out of 2^{64}) of the possible 
plaintexts; they gain no more information than that.


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to