Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Fri, 10 Feb 2017 10:57:06 -0800 

Dear Kenny,


From: "Paterson, Kenny" 
<kenny.pater...@rhul.ac.uk<mailto:kenny.pater...@rhul.ac.uk>>
Date: Friday, February 10, 2017 at 12:22 PM
To: 'Quynh' <quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>>, Sean Turner 
<s...@sn3rd.com<mailto:s...@sn3rd.com>>
Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, 
"<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs 
(#765/#769)

Dear Quynh,

On 10/02/2017 12:48, "Dang, Quynh (Fed)" 
<quynh.d...@nist.gov<mailto:quynh.d...@nist.gov>> wrote:

Hi Kenny,

Hi,


My preference is to go with the existing text, option a).


>From the github discussion, I think option c) involves a less
conservative
security bound (success probability for IND-CPA attacker bounded by
2^{-32} instead of 2^{-60}). I can live with that, but the WG should be
aware of the weaker security guarantees it provides.


I do not understand option b). It seems to rely on an analysis of
collisions of ciphertext blocks rather than the established security
proof
for AES-GCM.




My suggestion was based on counting.  I analyzed AES-GCM in TLS 1.3  as
being a counter-mode encryption and each counter is a 96-bit nonce ||
32-bit counter. I don’t know if there is another kind of proof that is
more precise than that.

Thanks for explaining. I think, then, that what you are doing is (in
effect) accounting for the PRP/PRF switching lemma that is used (in a
standard way) as part of the IND-CPA security proof of AES-GCM. One can
obtain a greater degree of precision by using the proven bounds for
IND-CPA security of AES-GCM. These incorporate the "security loss" coming
from the PRP/PRF switching lemma. The current best form of these bounds is
due to Iwata et al.. This is precisely what we analyse in the note at
http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf - specifically, see
equations (5) - (7) on page 6 of that note.

I reviewed the paper more than once. I highly value the work. I suggested to 
reference  your paper in the text.  I think the result in your paper is the 
same with what is being suggested when the collision probability allowed is 
2^(-32).

Regards,
Quynh.


Regards,

Kenny



Regards,
Quynh.



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to