Dear Kenny,
From: "Paterson, Kenny" <kenny.pater...@rhul.ac.uk<mailto:kenny.pater...@rhul.ac.uk>> Date: Friday, February 10, 2017 at 12:22 PM To: 'Quynh' <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>>, Sean Turner <s...@sn3rd.com<mailto:s...@sn3rd.com>> Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Dear Quynh, On 10/02/2017 12:48, "Dang, Quynh (Fed)" <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>> wrote: Hi Kenny, Hi, My preference is to go with the existing text, option a). >From the github discussion, I think option c) involves a less conservative security bound (success probability for IND-CPA attacker bounded by 2^{-32} instead of 2^{-60}). I can live with that, but the WG should be aware of the weaker security guarantees it provides. I do not understand option b). It seems to rely on an analysis of collisions of ciphertext blocks rather than the established security proof for AES-GCM. My suggestion was based on counting. I analyzed AES-GCM in TLS 1.3 as being a counter-mode encryption and each counter is a 96-bit nonce || 32-bit counter. I don’t know if there is another kind of proof that is more precise than that. Thanks for explaining. I think, then, that what you are doing is (in effect) accounting for the PRP/PRF switching lemma that is used (in a standard way) as part of the IND-CPA security proof of AES-GCM. One can obtain a greater degree of precision by using the proven bounds for IND-CPA security of AES-GCM. These incorporate the "security loss" coming from the PRP/PRF switching lemma. The current best form of these bounds is due to Iwata et al.. This is precisely what we analyse in the note at http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf - specifically, see equations (5) - (7) on page 6 of that note. I reviewed the paper more than once. I highly value the work. I suggested to reference your paper in the text. I think the result in your paper is the same with what is being suggested when the collision probability allowed is 2^(-32). Regards, Quynh. Regards, Kenny Regards, Quynh.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls