Hello, Our analysis of miTLS also supports option a)
A security level of 2^-32 seems too low from a provable security point of view, especially for a confidentiality bound. We verified an implementation of the TLS 1.3 record (https://eprint.iacr.org/2016/1178, to appear at Security & Privacy 2017) where we arrive at a combined bound for authenticity and confidentiality that is compatible with the Iwata et al. bound. Regards, Markulf (for the miTLS team) >Hi, > >My preference is to go with the existing text, option a). > >From the github discussion, I think option c) involves a less conservative >security bound (success probability for IND-CPA attacker bounded by >2^{-32} instead of 2^{-60}). I can live with that, but the WG should be >aware of the weaker security guarantees it provides. > >I do not understand option b). It seems to rely on an analysis of >collisions of ciphertext blocks rather than the established security proof >for AES-GCM. > >Regards, > >Kenny > >On 10/02/2017 05:44, "Cfrg on behalf of Martin Thomson" ><cfrg-bounces at irtf.org on behalf of martin.thomson at gmail.com> wrote: > >>On 10 February 2017 at 16:07, Sean Turner <sean at sn3rd.com> wrote: >>> a) Close these two PRs and go with the existing text [0] >>> b) Adopt PR#765 [1] >>> c) Adopt PR#769 [2] >> >> >>a) I'm happy enough with the current text (I've implemented that any >>it's relatively easy). >> >>I could live with c, but I'm opposed to b. It just doesn't make sense. >>It's not obviously wrong any more, but the way it is written it is >>very confusing and easily open to misinterpretation. >> >>_______________________________________________ >>Cfrg mailing list >>Cfrg at irtf.org >>https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
