Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Fri, 10 Feb 2017 04:49:21 -0800 

Hi Kenny,

From: TLS <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>> on behalf of 
"Paterson, Kenny" <kenny.pater...@rhul.ac.uk<mailto:kenny.pater...@rhul.ac.uk>>
Date: Friday, February 10, 2017 at 4:06 AM
To: Sean Turner <s...@sn3rd.com<mailto:s...@sn3rd.com>>
Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, 
"<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs 
(#765/#769)

Hi,

My preference is to go with the existing text, option a).

>From the github discussion, I think option c) involves a less conservative
security bound (success probability for IND-CPA attacker bounded by
2^{-32} instead of 2^{-60}). I can live with that, but the WG should be
aware of the weaker security guarantees it provides.

I do not understand option b). It seems to rely on an analysis of
collisions of ciphertext blocks rather than the established security proof
for AES-GCM.

My suggestion was based on counting.  I analyzed AES-GCM in TLS 1.3  as being a 
counter-mode encryption and each counter is a 96-bit nonce || 32-bit counter. I 
don’t know if there is another kind of proof that is more precise than that.

Regards,
Quynh.



Regards,

Kenny

On 10/02/2017 05:44, "Cfrg on behalf of Martin Thomson"
<cfrg-boun...@irtf.org<mailto:cfrg-boun...@irtf.org> on behalf of 
martin.thom...@gmail.com<mailto:martin.thom...@gmail.com>> wrote:

On 10 February 2017 at 16:07, Sean Turner 
<s...@sn3rd.com<mailto:s...@sn3rd.com>> wrote:
a) Close these two PRs and go with the existing text [0]
b) Adopt PR#765 [1]
c) Adopt PR#769 [2]


a) I'm happy enough with the current text (I've implemented that any
it's relatively easy).

I could live with c, but I'm opposed to b. It just doesn't make sense.
It's not obviously wrong any more, but the way it is written it is
very confusing and easily open to misinterpretation.

_______________________________________________
Cfrg mailing list
c...@irtf.org<mailto:c...@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to