On 12/15/2015 04:08 PM, Henrick Hellström wrote:
> On 2015-12-16 00:48, Eric Rescorla wrote:
>>
>>
>> On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
>> <sfluh...@cisco.com <mailto:sfluh...@cisco.com>> wrote:
>> The quadratic behavior in the security proofs are there for just
>> about any block cipher mode, and is the reason why you want to stay
>> well below the birthday bound.
>>
>>
>> The birthday bound here is 2^{64}, right?
>>
>> -Ekr
>>
>> However, that's as true for (say) CBC mode as it is for GCM
>
> Actually, no.
>
> Using the sequence number as part of the effective nonce, means that
it won't collide. There is no relevant bound for collisions in the
nonces or in the CTR state, because they simply won't happen (unless
there is an implementation flaw). There won't be any potentially
exploitable collisions.
>
Here is one attack that exploits such a collision
https://www.ietf.org/mail-archive/web/openpgp/current/msg08345.html
> However, theoretically, the GHASH state might collide with a 2^{64}
birthday bound. This possibility doesn't seem entirely relevant, though.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
