Hi
On 12/07/2016 18:12, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>Hi Kenny,
>
>On 7/12/16, 1:05 PM, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk> wrote:
>
>>Hi
>>
>>On 12/07/2016 16:12, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>>
>>>Hi Kenny,
>>>
>>>I support the strongest indistinguishability notion mentioned in (*)
>>>above, but in my opinion we should provide good description to the
>>>users.
>>
>>OK, I think now we are at the heart of your argument. You support our
>>choice of security definition and method of analysis after all.
>>
>>And we can agree that good descriptions can only help.
>>
>>>That is why I support the limit around 2^38 records.
>>
>>I don't see how changing 2^24.5 (which is in the current draft) to 2^38
>>provides a better description to users.
>>
>>Are you worried they won't know what a decimal in the exponent means?
>>
>>Or, more seriously, are you saying that 2^{-32} for single key attacks is
>>a big enough security margin? If so, can you say what that's based on?
>
>It would not make sense to ask people to rekey unnecessarily. 1 in 2^32 is
>1 in 4,294,967,296 for the indistinguishability attack.
I would agree that it does not make sense to ask TLS peers to rekey
unnecessarily. I also agree that 1 in 2^32 is
1 in 4,294,967,296. Sure looks like a big, scary number, don't it?
Are you then arguing that 2^{-32} for single key attacks is a big enough
security margin because we want to avoid rekeying? Then do you have a
specific concern about the security of rekeying? I could see various ways
in which it might go wrong if not designed carefully.
Or are you directly linking a fundamental security question to an
operational one, by which I mean: are you saying we should trade security
for avoiding the "cost" of rekeying for some notion of "cost"? If so, can
you quantify the cost for the use cases that matter to you?
Cheers,
Kenny
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
