On Wed, Dec 16, 2015 at 7:07 AM, Henrick Hellström <henr...@streamsec.se> wrote: > On 2015-12-16 12:17, Eric Rescorla wrote: >> >> Can we see a brief writeup explaining the 2^36 number? >> >> >> I believe Watson provided one a while back at: >> https://www.ietf.org/mail-archive/web/tls/current/msg18240.html > > > One rather obvious problem with trying to equate probability of loss of > confidentiality with the advantage for an IND-KPA adversary, is that the > IND-models don't account for the length of the plain text. > > The real life problem is that you lose a lot more information a lot faster, > by revealing the amount and frequency of the data transfer, than through the > KPA distinguisher for CTR mode. > > And, furthermore, the IND-KPA distinguisher is a fairly well understood > abstract artifact of CTR mode. It is not obviously relevant to compare it to > distinguishers for primitives such as RC4, which typically indicate that > there might be even worse problems.
Sure it is. An attacker can distinguish RC4 from random with a very high probability (I didn't work it out, but it's an exercise in Bayes theorem and your favorite biases). I agree this doesn't cover side channel information related to plaintext length and timing, but there is a padding facility intended to help with that. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
