I agree with Christian here ... On Mon, May 8, 2023 at 7:28 PM Christian Huitema <[email protected]> wrote:
> OK, I understand the tradeoff: actual security of AES-GCM depends on > tagbits - log2(message_size/128), but for AES-GCM-SST there is no > dependency on packet size. > I'm pointing to the first sentence,* in bold. * > > *I am afraid that we will have long discussions about proper levels of > security.* For current implementations of QUIC, the most frequent packet > size is lower than 1536. The maximum packet length at the IP layer is > 65535. The effective security of 16 bit tags is thus between 124 and 119 > bits, so we could argue that with SST 120 bits would probably be OK. > > Except that shaving just one byte per packet is not really exciting. > Going to 64 bits would be, but then forgeries seem doable, even with > SST. Using 96 bit tags might make sense, if QUIC implementers agree with > the security tradeoff. And also if we can be convinced that this is not > an avenue for a downgrade attack... > As above, I agree, and I hope our "long discussions" are as short as possible, and happen as early as possible, and as efficiently as possible. John's note on this topic started out (I think) in SFRAME and MOQ, where people suggested that he should also let the QUIC working group know about it, and other people suggested he should also let AVTCORE know about it. If the community can pick a venue to have a single conversation, and have that conversation until it converges, in a way that this proposal doesn't trip over obvious objections after WGLC, that would be a lot shorter, earlier, and more efficiently than letting multiple working groups duke it out during IETF Last Call! Best, Spencer
