Dear Quynh,
On 10/02/2017 12:48, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>Hi Kenny,
>
>>Hi,
>>
>>
>>My preference is to go with the existing text, option a).
>>
>>
>>From the github discussion, I think option c) involves a less
>>conservative
>>security bound (success probability for IND-CPA attacker bounded by
>>2^{-32} instead of 2^{-60}). I can live with that, but the WG should be
>>aware of the weaker security guarantees it provides.
>>
>>
>>I do not understand option b). It seems to rely on an analysis of
>>collisions of ciphertext blocks rather than the established security
>>proof
>>for AES-GCM.
>>
>>
>
>
>My suggestion was based on counting. I analyzed AES-GCM in TLS 1.3 as
>being a counter-mode encryption and each counter is a 96-bit nonce ||
>32-bit counter. I don’t know if there is another kind of proof that is
>more precise than that.
Thanks for explaining. I think, then, that what you are doing is (in
effect) accounting for the PRP/PRF switching lemma that is used (in a
standard way) as part of the IND-CPA security proof of AES-GCM. One can
obtain a greater degree of precision by using the proven bounds for
IND-CPA security of AES-GCM. These incorporate the "security loss" coming
from the PRP/PRF switching lemma. The current best form of these bounds is
due to Iwata et al.. This is precisely what we analyse in the note at
http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf - specifically, see
equations (5) - (7) on page 6 of that note.
Regards,
Kenny
>
>
>Regards,
>Quynh.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
