Watson Ladd <watsonbl...@gmail.com> wrote: > The issue is the bounds in Iwata-Ohashai-Minematsu's paper, which show > a quadratic confidentiality loss after a total volume sent. This is an > exploitable issue. >
Please explain in more detail how you got "2^36 bytes" for a nonce size of 96 bits from the Iwata-Ohashai-Minematsu paper [1]. [1] https://eprint.iacr.org/2012/438.pdf Also, the Niwa-Ohashi-Minematsu-Iwata follow-up paper [2] change things in any way? In particular, note that it concludes "The new security bounds improve the security bounds in [11] by a factor of 2^17, and they show that the security of GCM is actually close to what was originally claimed in [17,18]." A factor of 2^17 difference is pretty significant as far as this is concerned, AFAICT. [2] https://eprint.iacr.org/2015/214.pdf Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls