Quoting Aaron Zauner <a...@azet.org>:
* Samuel Neves <sne...@dei.uc.pt> [01/01/2016 12:19:36] wrote:
OCB is, if anything, worse than GCM when it comes to data volume
limits. It has the same confidentiality bounds as GCM
(slightly worse, in fact), but once you hit a collision you also
lose authenticity and enable simple forgeries [1].
If I understand correctly the same is true for GCM?
The contention with GCM in this thread has been, so far, focused on
confidentiality. This is because, by a result of Bernstein [1] (see
also Appendix C of [2]), after q = 2^60 messages sent, plus q' = 2^60
attempted forgeries by an attacker with messages at most l_A = 2^16
blocks long, the probability of an attacker to forge a message is
still ~2^-52. This does not present a data volume problem at the
moment for the authentication part of AES-GCM.
On the other hand, after 2^60 OCB messages of 2^16 blocks (and thus
2^76 total blocks), a block collision is almost guaranteed to have
happened, enabling the aforementioned forgeries.
What you may be thinking of is the GCM behavior on _nonce reuse_. In
this case, we are able to recover the authentication key by root
finding and forge messages at will. This is also the case with
OCB---on nonce reuse, we can forge any message that has the same
checksum as a valid message.
[1] http://cr.yp.to/antiforgery/securitywcs-20050227.pdf
[2] https://eprint.iacr.org/2012/438
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
