Hi Kenny,
On 7/12/16, 1:39 PM, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk> wrote:
>Hi
>
>On 12/07/2016 18:12, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>
>>Hi Kenny,
>>
>>On 7/12/16, 1:05 PM, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk> wrote:
>>
>>>Hi
>>>
>>>On 12/07/2016 16:12, "Dang, Quynh (Fed)" <quynh.d...@nist.gov> wrote:
>>>
>>>>Hi Kenny,
>>>>
>>>>I support the strongest indistinguishability notion mentioned in (*)
>>>>above, but in my opinion we should provide good description to the
>>>>users.
>>>
>>>OK, I think now we are at the heart of your argument. You support our
>>>choice of security definition and method of analysis after all.
>>>
>>>And we can agree that good descriptions can only help.
>>>
>>>>That is why I support the limit around 2^38 records.
>>>
>>>I don't see how changing 2^24.5 (which is in the current draft) to 2^38
>>>provides a better description to users.
>>>
>>>Are you worried they won't know what a decimal in the exponent means?
>>>
>>>Or, more seriously, are you saying that 2^{-32} for single key attacks
>>>is
>>>a big enough security margin? If so, can you say what that's based on?
>>
>>It would not make sense to ask people to rekey unnecessarily. 1 in 2^32
>>is
>>1 in 4,294,967,296 for the indistinguishability attack.
>
>I would agree that it does not make sense to ask TLS peers to rekey
>unnecessarily. I also agree that 1 in 2^32 is
>1 in 4,294,967,296. Sure looks like a big, scary number, don't it?
>
>Are you then arguing that 2^{-32} for single key attacks is a big enough
>security margin because we want to avoid rekeying?
Because it is safe therefore there are no needs to rekey. I don¹t
recommend to run another function/protocol when there are no needs for it.
I don¹t see any particular reasons for mentioning single key in the
indistinguishability attack here.
>Then do you have a
>specific concern about the security of rekeying? I could see various ways
>in which it might go wrong if not designed carefully.
>
>Or are you directly linking a fundamental security question to an
>operational one, by which I mean: are you saying we should trade security
>for avoiding the "cost" of rekeying for some notion of "cost"? If so, can
>you quantify the cost for the use cases that matter to you?
>
>Cheers,
>
>Kenny
Regards,
Quynh.
>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
