Hi, * sne...@dei.uc.pt <sne...@dei.uc.pt> [01/01/2016 18:19:26] wrote: > The contention with GCM in this thread has been, so far, focused on > confidentiality. This is because, by a result of Bernstein [1] (see also > Appendix C of [2]), after q = 2^60 messages sent, plus q' = 2^60 attempted > forgeries by an attacker with messages at most l_A = 2^16 blocks long, the > probability of an attacker to forge a message is still ~2^-52. This does not > present a data volume problem at the moment for the authentication part of > AES-GCM. >
Interesting - I was not aware of that. Thanks for taking the time to explain. > On the other hand, after 2^60 OCB messages of 2^16 blocks (and thus 2^76 > total blocks), a block collision is almost guaranteed to have happened, > enabling the aforementioned forgeries. Sure. Would you see any way to improve this situation in the draft, i.e. give implementation recommendations or similar? > What you may be thinking of is the GCM behavior on _nonce reuse_. In this > case, we are able to recover the authentication key by root finding and > forge messages at will. This is also the case with OCB---on nonce reuse, we > can forge any message that has the same checksum as a valid message. No. Nonce-reuse is a seperate issue, the one I addressed in my commit on the draft linked to in an earlier message. The construction used in the chacha20/poly1305 draft is very elegant I think: if you do not implement a proper nonce the implementation will not interoperate with other implementation conforming to spec. Thanks again, Aaron
signature.asc
Description: Digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls