[quicwg/base-drafts] ed9bbf: Update AEAD limits

Martin Thomson <noreply@github.com> Mon, 06 July 2020 06:58 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E149C3A1151 for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:58:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FhTHpaUV7y7 for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:58:11 -0700 (PDT)
Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B935F3A1155 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:58:11 -0700 (PDT)
Received: from github-lowworker-3a0df0f.ac4-iad.github.net (github-lowworker-3a0df0f.ac4-iad.github.net [10.52.25.92]) by smtp.github.com (Postfix) with ESMTP id DD1D28C0441 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:58:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1594018690; bh=M0PR2SU2gQ0Yc5EiXO0dvKYw2/bZtwhGmxC1slOfR0M=; h=Date:From:To:Subject:From; b=OURo0OB7Jy4/zKZThFy8ZuRHetLkfOWXCjnt1MDrsKG7sqZ+T/2F5CGnVuhxq5/7I gorw+8Z5cmkyqY9LaQ5Na2BDZywjdarK7csvMopac3ybNVNh3/YvGk5gZTJCo2Dmqk EoSB7r7kDLFEJS7AcbNo8NFInMzr68gFjWic/EV0=
Date: Sun, 05 Jul 2020 23:58:10 -0700
From: Martin Thomson <noreply@github.com>
To: quic-issues@ietf.org
Message-ID: <quicwg/base-drafts/push/refs/heads/aead-limits2/5e7bfa-ed9bbf@github.com>
Subject: [quicwg/base-drafts] ed9bbf: Update AEAD limits
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/73ULpTh4GVb9BnfRf3x_gJvA9U0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 06:58:13 -0000

  Branch: refs/heads/aead-limits2
  Home:   https://github.com/quicwg/base-drafts
  Commit: ed9bbfc7a712b67466842abef03932dbf369dc1e
      https://github.com/quicwg/base-drafts/commit/ed9bbfc7a712b67466842abef03932dbf369dc1e
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update AEAD limits

This corrects an arithmetic error in the calculation of the
confidentiality limit for AES-GCM.

It also changes to using a fixed advantage target of 2^-57 for both
confidentiality and integrity.  The inconsistent use of different limits
was making it hard to reason about.  As the overall target is AE
security, the net effect of this is a factor of 2 improvement in
attacker advantage over what is in the TLS analysis, which was
2^-57+2^-60.  This moves to 2^-56 overall, which is cleaner.

In doing so, I discovered that the integrity limits for both AES-GCM and
AES-CCM were being set independent of the confidentiality limits, but
that the confidentiality limits assumed limits on the number of
forgeries.  As a result, the limits on forgeries had to be capped based
on those assumptions.