Quoting Aaron Zauner <[email protected]>:
On the other hand, after 2^60 OCB messages of 2^16 blocks (and thus 2^76
total blocks), a block collision is almost guaranteed to have happened,
enabling the aforementioned forgeries.
Sure. Would you see any way to improve this situation in the draft,
i.e. give implementation recommendations or similar?
I think the FAQ you quoted before (itself quoting RFC 7253) suggesting
the limitation of blocks processed to 2^48 is reasonable. Depending on
the consensus here on what an acceptable success probability for an
attacker is, you may want to bring that down to 2^32, as is being
suggested for GCM.
P.S.: Apologies. I had interpreted your diversion into OCB as
suggesting it as an alternative to GCM to address the data volume
limitation in question. On a second read, that turned out not to be
the case, and you were only asking for help.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
