Update AEAD limits for larger packets #4175
Conversation
The analysis describes conditions where higher limits might be allowed, and provides a formula in each case that can be used to determine other limits more readily. The number of changes I've made here are somewhat frightening. This is why I resisted doing this. This will need careful double-checking. The actual numbers don't concern me much, it's the changes to the structure that need to be looked at. Some of the changes are editorial, but they still need extra eyes. Closes #3701.
martinthomson
added
design
|
cc @fxguenther |
There was a problem hiding this comment.
This PR is exactly what I was hoping for, thanks for writing it. As far as I can tell, it's correct. It also fully addresses my concerns from #3701.
There was a problem hiding this comment.
Thanks, @martinthomson! I checked the derivations and produced the same results.
draft-ietf-quic-tls.md
Outdated
| keys without causing an attacker to gain a larger advantage than the target of | ||
| 2^-57. Note however that the integrity limits further constrain this value. | ||
| The integrity limit in Theorem 1 in {{?CCM-ANALYSIS}} provides an attacker a | ||
| strictly higher advantage for the same number of messages. As the targets |
There was a problem hiding this comment.
| strictly higher advantage for the same number of messages. As the targets | |
| strictly higher advantage for the same number of messages. As the target |
Or "targeted"?
There was a problem hiding this comment.
I'm trying to say that the "value of the goal" is the same. I think that this is correct.
I think that you might say "target advantages for A and B", but I think that "advantages" means something else and so I avoided the plural.
Maybe instead "As the target for both the confidentiality advantage and integrity advantage is the same, ..." ?
My grammar skillz aren't up to this, clearly.
There was a problem hiding this comment.
Or plural works in that last arrangement, so "As the targets for the confidentiality advantage and the integrity advantage are the same...." I think any of them are fine, so long as they agree in number. What stuck out to me was "targets advantage" more than anything else.
| @@ -2337,18 +2352,19 @@ distinguishing advantage between a real and random AEAD algorithm gained by an | |||
| attacker is: | |||
|
|
|||
| ~~~ | |||
| 2 * (q * l)^2 / 2^128 | |||
| 2 * (q * l)^2 / 2^n | |||
There was a problem hiding this comment.
I forgot to call this out. @chris-wood, can you check that this is right here? I think that this comes from the \sigma*B/2^n term in Bad3 in the paper, but I want to make sure that my understanding is correct in that we are treating \sigma*B as \sigma^2 in the single-user case.
wrapping needed... Co-authored-by: Jana Iyengar <[email protected]>
The analysis describes conditions where higher limits might be allowed, and provides a formula in each case that can be used to determine other limits more readily.
The number of changes I've made here are somewhat frightening. This is why I resisted doing this. This will need careful double-checking. I think that this is better, but I'm not sure that I feel happy about having spent the time.
The actual numbers don't concern me much, anyone can subtract 2, but the changes to the structure really need to be looked at. Some of the changes are editorial, but they still need extra eyes.
Closes #3701.