Hi Samuel, * Samuel Neves <sne...@dei.uc.pt> [01/01/2016 12:19:36] wrote: > OCB is, if anything, worse than GCM when it comes to data volume limits. It > has the same confidentiality bounds as GCM > (slightly worse, in fact), but once you hit a collision you also lose > authenticity and enable simple forgeries [1]. >
If I understand correctly the same is true for GCM? I did not say that OCB provides beyond-birthday bound security. I'm well aware that the mode does not really affect this issue in that particular case. > The real issue here is the block size of AES, not the security bounds of > particular modes. Those are by and large all > limited by the birthday bound. You could go with more exotic beyond-birthday > modes, but there don't seem to be any being > proposed for TLS. The simple solution to the birthday blues is, of course, to > use a larger block. > Sure. Agreed. Thanks for the feedback, Aaron
signature.asc
Description: Digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
