Hi Atul, I hope you had a happy Valentine!
From: Atul Luykx <atul.lu...@esat.kuleuven.be<mailto:atul.lu...@esat.kuleuven.be>> Date: Tuesday, February 14, 2017 at 4:52 PM To: Yoav Nir <ynir.i...@gmail.com<mailto:ynir.i...@gmail.com>> Cc: 'Quynh' <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>>, IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Why is that 2^48 input blocks rather than 2^34.5 input blocks? Because he wants to lower the security level. I respectfully disagree. 2^-32, 2^-33, 2^-57, 2^-60, 2^-112 are practically the same: they are practically zero. And, 2^-32 is an absolute chance in this case meaning that all attackers can’t improve their chance: no matter how much computational power the attacker has. I don’t understand why the number 2^-60 is your special chosen number for this ? In your “theory”, 2^-112 would be in “higher” security than 2^-60. Quynh. The original text recommends switching at 2^{34.5} input blocks, corresponding to a success probability of 2^{-60}, whereas his text recommends switching at 2^{48} blocks, corresponding to a success probability of 2^{-32}. Atul On 2017-02-14 11:45, Yoav Nir wrote: Hi, Quynh On 14 Feb 2017, at 20:45, Dang, Quynh (Fed) <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>> wrote: Hi Sean and all, Beside my suggestion at https://www.ietf.org/mail-archive/web/tls/current/msg22381.html [1], I have a second suggestion below. Just replacing this sentence: " For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be encrypted on a given connection while keeping a safety margin of approximately 2^-57 for Authenticated Encryption (AE) security. " in Section 5.5 by this sentence: " For AES-GCM, up to 2^48 (partial or full) input blocks may be encrypted with one key. For other suggestions and analysis, see the referred paper above." Regards, Quynh. I like the suggestion, but I’m probably missing something pretty basic about it. 2^24.5 full-size records is 2^24.5 records of 2^14 bytes each, or (since an AES block is 16 bytes or 2^4 bytes) 2^24.5 records of 2^10 blocks. Why is that 2^48 input blocks rather than 2^34.5 input blocks? Thanks Yoav Links: ------ [1] https://www.ietf.org/mail-archive/web/tls/current/msg22381.html _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
