On 2015-12-16 12:17, Eric Rescorla wrote:
Can we see a brief writeup explaining the 2^36 number?I believe Watson provided one a while back at: https://www.ietf.org/mail-archive/web/tls/current/msg18240.html
One rather obvious problem with trying to equate probability of loss of confidentiality with the advantage for an IND-KPA adversary, is that the IND-models don't account for the length of the plain text.
The real life problem is that you lose a lot more information a lot faster, by revealing the amount and frequency of the data transfer, than through the KPA distinguisher for CTR mode.
And, furthermore, the IND-KPA distinguisher is a fairly well understood abstract artifact of CTR mode. It is not obviously relevant to compare it to distinguishers for primitives such as RC4, which typically indicate that there might be even worse problems.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
