Hey Martin,
You're right, this analysis works for any block cipher with 128 bit
output that is "good enough" (a pseudorandom permutation), and so for
all versions of AES regardless of the key size. Determining the
appropriate key size for the block cipher relies on accounting for
possible attacks against the block cipher itself, and estimating the
computational power of the adversaries you want to protect against.
You could also use formula (7) to recompute the bounds with a different
block size (e.g. 64 bits).
Atul
On 2016-04-29 05:40, Martin Thomson wrote:
On 9 March 2016 at 09:16, aluykx <atul.lu...@esat.kuleuven.be> wrote:
Kenny Paterson and I prepared a document providing an overview of how
much
data ChaCha20+Poly1305 and AES-GCM can process with a single key.
Besides
summarizing the results, the document also gives an explanation of why
the
limits are there. The document confirms the analysis done by Watson
and
others in the thread on "Data Volume Limits", but goes into more
detail.
Hi Atul,
Just to confirm, but this analysis is for all variants of AES-GCM
regardless of key size? From formula (7) it shows that attack
probability is directly a function of block size and the number of
blocks.
--Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
