> -----Original Message-----
> From: TLS [mailto:[email protected]] On Behalf Of Henrick Hellström
> Sent: Tuesday, December 15, 2015 7:09 PM
> To: [email protected]
> Subject: Re: [TLS] Data volume limits
>
> On 2015-12-16 00:48, Eric Rescorla wrote:
> >
> >
> > On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
> > <[email protected] <mailto:[email protected]>> wrote:
> > The quadratic behavior in the security proofs are there for just
> > about any block cipher mode, and is the reason why you want to stay
> > well below the birthday bound.
> >
> >
> > The birthday bound here is 2^{64}, right?
> >
> > -Ekr
> >
> > However, that's as true for (say) CBC mode as it is for GCM
>
> Actually, no.
>
> Using the sequence number as part of the effective nonce, means that it
> won't collide. There is no relevant bound for collisions in the nonces or in
> the
> CTR state, because they simply won't happen (unless there is an
> implementation flaw). There won't be any potentially exploitable collisions.
>
> However, theoretically, the GHASH state might collide with a 2^{64} birthday
> bound. This possibility doesn't seem entirely relevant, though.
That is a good point, and deserves to be examined more.
With CBC mode, there's a probability that two different ciphertext blocks will
happen to be identical; when that unlikely event happens, the attacker can
determine the bitwise difference between the corresponding plaintext blocks
(and thereby leak a small amount of plaintext)
This doesn't happen with GCM. Instead, the distinguisher is of this form: the
attacker with a potential plaintext can compute the internal CTR values for
GCM; if he sees a duplicate value, he can deduce that that potential plaintext
wasn't the real one (because the internal CTR values never repeat).
Assuming that they cannot distinguish AES with a random key from a random
permutation, that's the only thing they can learn.
That is, when they prove that there is no distinguisher with better than
2^{-64} advantage, what they are referring to (in practice) is that the
attacker could eliminate a tiny fraction (1 out of 2^{64}) of the possible
plaintexts; they gain no more information than that.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
