On Dec 15, 2015 7:09 PM, "Henrick Hellström" <henr...@streamsec.se> wrote:
>
> On 2015-12-16 00:48, Eric Rescorla wrote:
>>
>>
>>
>> On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
>> <sfluh...@cisco.com <mailto:sfluh...@cisco.com>> wrote:
>> The quadratic behavior in the security proofs are there for just
>> about any block cipher mode, and is the reason why you want to stay
>> well below the birthday bound.
>>
>>
>> The birthday bound here is 2^{64}, right?
>>
>> -Ekr
>>
>> However, that's as true for (say) CBC mode as it is for GCM
>
>
> Actually, no.
>
> Using the sequence number as part of the effective nonce, means that it
won't collide. There is no relevant bound for collisions in the nonces or
in the CTR state, because they simply won't happen (unless there is an
implementation flaw). There won't be any potentially exploitable collisions.
You don't understand the issue. The issue is PRP not colliding, whereas PRF
can.
>
> However, theoretically, the GHASH state might collide with a 2^{64}
birthday bound. This possibility doesn't seem entirely relevant, though.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
