On Fri, Jan 1, 2016 at 4:42 PM, James Cloos <cl...@jhcloos.com> wrote:
> >>>>> "ER" == Eric Rescorla <e...@rtfm.com> writes:
>
> ER> Can you elaborate on this point a bit? I haven't been focusing on
> ER> ChaCha, but we're not quite done with ChaCha yet, so if changes are
> ER> needed, now would be the time.
>
> The switch from 64 bit nonce + 64 bit counter to 96 bit nonce + 32 bit
> counter means a max of 2**32 * 256 bits before a key update is needed, yes?
This doesn't sound right to me.
In TLS, we use a distinct nonce for each record and then a block counter
inside the record. So, it's true that you couldn't encrypt a record that
was more than 2^{32} * 256 bits long, but since TLS records can't be
more than 16KB long anyway, this isn't the critical limitation.
-Ekr
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
