Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Yoav Nir <ynir.ietf@gmail.com> Tue, 14 February 2017 19:45 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7363412943B for <cfrg@ietfa.amsl.com>; Tue, 14 Feb 2017 11:45:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcvMBYtOz6Nx for <cfrg@ietfa.amsl.com>; Tue, 14 Feb 2017 11:45:37 -0800 (PST)
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB8F1297C1 for <cfrg@irtf.org>; Tue, 14 Feb 2017 11:45:37 -0800 (PST)
Received: by mail-wm0-x241.google.com with SMTP id c85so5152750wmi.1 for <cfrg@irtf.org>; Tue, 14 Feb 2017 11:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bzToNcj0dDUIpOb/RXD4K5BmSD4ioLRGrxo6Z4cPeRs=; b=PAUgx5Mu7Ah/ioHBtLDS0r/BF4bHW79s4+A8vpEWhypmPdwox32dUAQo/DOfyGRcIc us8zG2mTMj9Ryi1hnK5uH/nMiTht6DnRhs7+PqHyyYekR5TM2v8rEB17MbEcm6r0TkiF WbZgw4Dq/uJexyxx/r+QwzrNiEb2VHnauiFH4TzQrzFLeRV6B93ZhYzZvHWFmD2GVhQP LKrXGnwhv8p5wpwyVID3kfZO1P1pNbAu3kKBNjetxLMVYRAsS/ioT1ZA1UZvbGRaiIa7 Kw78V8N44KYE06eu0dC27BDx3JExXr4aG7jHGLZHsPwODsuxt6hFohGZ7vOK3rQL+mrY gFMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bzToNcj0dDUIpOb/RXD4K5BmSD4ioLRGrxo6Z4cPeRs=; b=OrLHcZt8FWLKO+Twi/fOD0vnoSeVZrSb8G4u7rqzqdY0BoHLK2Pf2m3D6MJ0hfg8UR u0ByM+A+Z/YZKrFzZaAUFtgKENhD6QEmRyrG5I/ZUwoALOrR5V0G71Ql/9Du3fJTSbTr XxNKKwI0zt5OO1AyMtzlge8uIy41O3HS9KUUCzo4TYU7dOqp0cSWM+PkexyrTQ/BTBkV BmcJXvs7cQS7WCztTRozYgsvJqlusUuLKLyEbkmWO3bGtAxKHl7Cc9fOm+auaEZBoKWM pzdxEIwFKfdghxHTn2+qunsd43szzEjZWShY6SYrML4oZ2cdM6fD2Kgsvv8akPd15bMY pOOg==
X-Gm-Message-State: AMke39nHfMD2VH2QiPBTTrmg84ojXwggBQj8bnN/isIZlOBEXMQqYdF2l6haDEeLGhWWqw==
X-Received: by 10.28.57.131 with SMTP id g125mr4744554wma.33.1487101536095; Tue, 14 Feb 2017 11:45:36 -0800 (PST)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id z67sm1963135wrb.49.2017.02.14.11.45.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Feb 2017 11:45:35 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <BD6FC1F4-F2ED-46F8-9E53-862B69D9C00A@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_FEA34146-C7F0-46C7-8686-9290B478C5FA"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 14 Feb 2017 21:45:32 +0200
In-Reply-To: <CY4PR09MB1464278F1845979862CA9C8EF3580@CY4PR09MB1464.namprd09.prod.outlook.com>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk> <VI1PR8303MB0094D686941D99290BB431FCAB590@VI1PR8303MB0094.EURPRD83.prod.outlook.com> <D4C73D19.2FB4B%qdang@nist.gov> <D4C85054.2FDA4%qdang@nist.gov> <be49d59e37339cbaea8fef9bdb2a8971@esat.kuleuven.be> <D4C8AE28.30145%qdang@nist.gov> <CY4PR09MB1464278F1845979862CA9C8EF3580@CY4PR09MB1464.namprd09.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JAvUYYxOSIEJz_MMyvy84u7v5MY>
Cc: IRTF CFRG <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>, Sean Turner <sean@sn3rd.com>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 19:45:39 -0000

Hi, Quynh

> On 14 Feb 2017, at 20:45, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote:
> 
> Hi Sean and all,
> 
> Beside my suggestion at https://www.ietf.org/mail-archive/web/tls/current/msg22381.html <https://www.ietf.org/mail-archive/web/tls/current/msg22381.html>, I have a second suggestion below.
> 
> Just replacing this sentence: "
> For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be
>    encrypted on a given connection while keeping a safety margin of
>    approximately 2^-57 for Authenticated Encryption (AE) security.
> " in Section 5.5 by this sentence: " For AES-GCM, up to 2^48 (partial or full) input blocks may be encrypted with one key. For other suggestions and analysis, see the referred paper above."
> 
> Regards,
> Quynh.

I like the suggestion, but I’m probably missing something pretty basic about it.

2^24.5 full-size records is 2^24.5 records of 2^14 bytes each, or (since an AES block is 16 bytes or 2^4 bytes) 2^24.5 records of 2^10 blocks.

Why is that 2^48 input blocks rather than 2^34.5 input blocks?

Thanks

Yoav