Hi Markulf, The probability of a bad thing to happen is actually below (or about) 2^(-33). It practically won’t happen when the chance is 1 in 2^32. And, to achieve that chance, you must collect 2^48 128-bit blocks.
Regards, Quynh. From: TLS <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>> on behalf of Markulf Kohlweiss <mark...@microsoft.com<mailto:mark...@microsoft.com>> Date: Monday, February 13, 2017 at 10:34 AM To: "Paterson, Kenny" <kenny.pater...@rhul.ac.uk<mailto:kenny.pater...@rhul.ac.uk>>, Sean Turner <s...@sn3rd.com<mailto:s...@sn3rd.com>> Cc: Antoine Delignat-Lavaud <an...@microsoft.com<mailto:an...@microsoft.com>>, IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Hello, Our analysis of miTLS also supports option a) A security level of 2^-32 seems too low from a provable security point of view, especially for a confidentiality bound. We verified an implementation of the TLS 1.3 record (https://eprint.iacr.org/2016/1178, to appear at Security & Privacy 2017) where we arrive at a combined bound for authenticity and confidentiality that is compatible with the Iwata et al. bound. Regards, Markulf (for the miTLS team) Hi, My preference is to go with the existing text, option a). >From the github discussion, I think option c) involves a less conservative security bound (success probability for IND-CPA attacker bounded by 2^{-32} instead of 2^{-60}). I can live with that, but the WG should be aware of the weaker security guarantees it provides. I do not understand option b). It seems to rely on an analysis of collisions of ciphertext blocks rather than the established security proof for AES-GCM. Regards, Kenny On 10/02/2017 05:44, "Cfrg on behalf of Martin Thomson" <cfrg-bounces at irtf.org on behalf of martin.thomson at gmail.com> wrote: On 10 February 2017 at 16:07, Sean Turner <sean at sn3rd.com> wrote: a) Close these two PRs and go with the existing text [0] b) Adopt PR#765 [1] c) Adopt PR#769 [2] a) I'm happy enough with the current text (I've implemented that any it's relatively easy). I could live with c, but I'm opposed to b. It just doesn't make sense. It's not obviously wrong any more, but the way it is written it is very confusing and easily open to misinterpretation. _______________________________________________ Cfrg mailing list Cfrg at irtf.org https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
