Why is that 2^48 input blocks rather than 2^34.5 input blocks?
Because he wants to lower the security level. The original text
recommends switching at 2^{34.5} input blocks, corresponding to a
success probability of 2^{-60}, whereas his text recommends switching at
2^{48} blocks, corresponding
Hey Quynh,
When someone says AES-128 has 128 bits of security he or she means
that 2^128 AES operations will break the cipher with probability 100%:
finding the key and the plaintext.
The claim is stronger: regardless of the number of plaintext-ciphertext
pairs available to the adversary, it wi
On 2016-08-16 07:51, Watson Ladd wrote:
On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson
wrote:
On 16 August 2016 at 09:46, Paterson, Kenny
wrote:
Sadly, you can't implement XGCM using an existing AES-GCM API,
because of
the way the MAC (which is keyed) is computed over the ciphertext in
the
Right now I see no reason for this not to work. In fact if you XOR the
tag as well, then every block cipher call looks similar to a DESX call,
like in XCAU.
Atul
On 2016-08-15 21:56, Martin Thomson wrote:
On 16 August 2016 at 09:46, Paterson, Kenny
wrote:
Sadly, you can't implement XGCM usin
Hey David,
On 2016-07-19 11:58, David McGrew wrote:
HI Atul,
On Jul 19, 2016, at 2:26 AM, Atul Luykx
wrote:
What is especially cool about counter mode encryption is how its real
world security degrades more gracefully than CBC mode encryption. I
am not sure that the FSE paper did a good
ssible
to formalize your intuition.
Atul
On 2016-07-18 23:11, David McGrew wrote:
Hi Quynh,
On Jul 13, 2016, at 9:58 AM, Dang, Quynh (Fed)
wrote:
On 7/13/16, 9:26 AM, "Watson Ladd" wrote:
On Wed, Jul 13, 2016 at 5:30 AM, Atul Luykx
wrote:
Hey Quynh,
How can one use the distin
will be good enough in practice. However, it's important
to be clear about the risks involved in venturing into unknown
territory.
Atul
On 2016-07-13 13:14, Dang, Quynh (Fed) wrote:
Hi Atul,
On 7/12/16, 3:50 PM, "Atul Luykx" wrote:
To be clear, this probability is that an at
To be clear, this probability is that an attacker would be able to
take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential
(but incorrect) plaintext, and with probability 2^{-32}, be able to
determine that this plaintext was not the one used for the ciphertext
(and with probability
Here's a possible re-write of the second paragraph:
Nonce re-use in AES-GCM results in failure of both confidentiality and
authenticity. Not only will confidentiality be breached by leaking the
XOR of any two packets processed under the same nonce, but TLS sessions
can also be attacked through
Hey Martin,
You're right, this analysis works for any block cipher with 128 bit
output that is "good enough" (a pseudorandom permutation), and so for
all versions of AES regardless of the key size. Determining the
appropriate key size for the block cipher relies on accounting for
possible att
10 matches
Mail list logo