On Dec 15, 2015 7:09 PM, "Henrick Hellström" <henr...@streamsec.se> wrote: > > On 2015-12-16 00:48, Eric Rescorla wrote: >> >> >> >> On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer) >> <sfluh...@cisco.com <mailto:sfluh...@cisco.com>> wrote: >> The quadratic behavior in the security proofs are there for just >> about any block cipher mode, and is the reason why you want to stay >> well below the birthday bound. >> >> >> The birthday bound here is 2^{64}, right? >> >> -Ekr >> >> However, that's as true for (say) CBC mode as it is for GCM > > > Actually, no. > > Using the sequence number as part of the effective nonce, means that it won't collide. There is no relevant bound for collisions in the nonces or in the CTR state, because they simply won't happen (unless there is an implementation flaw). There won't be any potentially exploitable collisions.
You don't understand the issue. The issue is PRP not colliding, whereas PRF can. > > However, theoretically, the GHASH state might collide with a 2^{64} birthday bound. This possibility doesn't seem entirely relevant, though. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls