[TLS] AES-GCM and ChaCha-Poly1305: how many bytes are safe?

2015-11-02 Thread Watson Ladd
Dear all, All modes have a limit on how much data can be encrypted before bad things start to happen, i.e. IND-$ becoming false, or authenticity becoming false. In this email I will discuss what those limits are for AES-GCM and ChaCha20-Poly1305, assuming the usual assumptions about the ciphers:

[TLS] Revised I-D: Use of KCipher-2 with Poly1305 in Transport Layer Security (draft-kiyomoto-kcipher2-tls-02)

2015-11-02 Thread 堀 良彰
Hi, We've posted a new version of "Use of KCipher-2 with Poly1305 in Transport Layer Security" (draft-kiyomoto-kcipher2-tls-02) that address to add a cipher suite, KCipher-2 [RFC7008] and Poly1305 running with AEAD for TLS1.2. Name: draft-kiyomoto-kcipher2-tls Revision: 02 Title:

Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-01.txt

2015-11-02 Thread Colm MacCárthaigh
Huge +1 to this I-D, just some minor comments: * I wonder if the document should be more forthright in specifying that the ChaCha20/Poly1305 implementations SHOULD actually attempt to use constant-time and constant-access patterns that the algorithm is designed to facilitate. If that's a selling

Re: [TLS] [Cfrg] Collision issue in ciphertexts.

2015-11-02 Thread Dang, Quynh
Now, you talked about a MAC function (with AES). I previously talked about encryption. If I , the only person, uses the MAC key, when I generate more than 2^64 MAC values (Let's say each MAC value is 96 bits), I have many collided MAC pairs. But, I am the only one (beside the person(s)

Re: [TLS] AES-GCM and ChaCha-Poly1305: how many bytes are safe?

2015-11-02 Thread Yoav Nir
> On 3 Nov 2015, at 4:59 AM, Brian Smith wrote: > > Watson Ladd > wrote: > For these results a > sender of 2^60 messages can tolerate 2^60 forgery attempts while the > probability of forgery is at most 1.002/2^52. > >

Re: [TLS] [Cfrg] Collision issue in ciphertexts.

2015-11-02 Thread Watson Ladd
On Nov 2, 2015 2:14 AM, "Dang, Quynh" wrote: > > Hi Eric, > > > As you asked the question about how many ciphertext blocks should be safe under a single key, I think it is safe to have 2^96 blocks under a given key if the IV (counter) is 96 bits. This is wrong for PRP, right