Re: [quicwg/base-drafts] Define an anti-forgery limit (#3620)

[Martin Thomson <notifications@github.com>]

@martinthomson commented on this pull request.



> +For a target advantage of 2^-60, which matches that used by {{!TLS13}}, this
+results in the relation:
+
+~~~
+q <= 2^23
+~~~
+
+That is, endpoints cannot protect more than 2^23 packets with the same set of
+keys without causing an attacker to gain an larger advantage than the target of
+2^-60.
+
+
+## Integrity Limits
+
+For integrity, Theorem 1 in {{?CCM-ANALYSIS}} establishes that an attacker
+gains an advantage over an ideal PRP of no more than:

I don't think that this is a distinguishing advantage, but a forgery advantage.  That is, the odds of being able to forge increase, not to determine whether a forgery would be successful without consulting the oracle.

> @@ -2029,6 +2079,104 @@ ffff00001b0008f067a5502a4262b574 6f6b656ea523cb5ba524695f6569f293
 a1359d8e
 ~~~
 
+# Analysis of Limits on AEAD_AES_128_CCM Usage {#ccm-bounds}

This is an appendix :)

And yeah, I'm not all that happy that this is not in a peer-reviewed paper, but TLS didn't have that either.  The mitigating factors are that this is being carefully reviewed (my two screwups so far have been caught), and the math is fairly simple once you get past the layers of obfuscation.

> +successfully forge a packet; see {{AEBounds}} and {{ROBUST}}.
+
+For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit on
+the number of packets that fail authentication is 2^36.  Note that the analysis
+in {{AEBounds}} supports a higher limit for the AEAD_AES_128_GCM and
+AEAD_AES_256_GCM, but this specification recommends a lower limit.  For
+AEAD_AES_128_CCM, the limit on the number of packets that fail authentication
+is 2^23.5; see {{ccm-bounds}}.
+
+Note:
+
+: These limits were originally calculated using assumptions about the
+  limits on TLS record size. The maximum size of a TLS record is 2^14 bytes.
+  In comparison, QUIC packets can be up to 2^16 bytes.  However, it is
+  expected that QUIC packets will generally be smaller than TLS records.
+  Where packets might be larger than 2^14 bytes in length, smaller limits might

Yes, that is what it says.  And it should be scary.  That is, if you want 64k packets, be prepared to read the papers.  (However, if someone ignores this, the damage isn't that bad, as the worst effect from this set of AEADs is in reducing the margin by a factor of 16 to 2^-56/2^-53, which is still small.)

It also says that the margins are usually better in practice than the analysis permits.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3620#discussion_r422727856