Hi
On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>Hi Kenny,
>
>On 7/12/16, 12:33 PM, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk> wrote:
>
>>Finally, you write "to come to the 2^38 record limit, they assume that
>>each record is the maximum 2^14 bytes". For clarity, we did not recommend
>>a limit of 2^38 records. That's Quynh's preferred number, and is
>>unsupported by our analysis.
>
>What is problem with my suggestion even with the record size being the
>maximum value?
There may be no problem with your suggestion. I was simply trying to make
it clear that 2^38 records was your suggestion for the record limit and
not ours. Indeed, if one reads our note carefully, one will find that we
do not make any specific recommendations. We consider the decision to be
one for the WG; our preferred role is to supply the analysis and help
interpret it if people want that. Part of that involves correcting
possible misconceptions and misinterpretations before they get out of hand.
Now 2^38 does come out of our analysis if you are willing to accept single
key attack security (in the indistinguishability sense) of 2^{-32}. So in
that limited sense, 2^38 is supported by our analysis. But it is not our
recommendation.
But, speaking now in a personal capacity, I consider that security margin
to be too small (i.e. I think that 2^{-32} is too big a success
probability).
Regards,
Kenny
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
