Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)

Martin Thomson <> Wed, 06 May 2020 07:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8652C3A0798 for <>; Wed, 6 May 2020 00:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.48
X-Spam-Status: No, score=-6.48 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VqV3YWTHs05u for <>; Wed, 6 May 2020 00:08:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 264B63A00C1 for <>; Wed, 6 May 2020 00:08:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 21A0DA043B for <>; Wed, 6 May 2020 00:08:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1588748920; bh=gi7R7nu/2cYumUXXH5CMZdF+XHyN9NPRmZrMPAOkS+c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=hub/o6JTMMBlTxLmTAAAJG+7Okcs9cEE1yQn//NHupwlNdTOnkutfKzYmMfWlFuJL QNhOLPsIbmEpqOq3iuoD3EmaPA0+oIvuoyi0eJ1LkmcKRAzKHFARKE6f1btu42h4zm VBAoN+LM5nl08uSLAUC/b3MmCRbCFXH858T4hvEw=
Date: Wed, 06 May 2020 00:08:40 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3619/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb2627812638_56553ff22accd95c7511a8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 May 2020 07:08:43 -0000

Thanks for checking this @fxguenther.  I was a little concerned about the PRP/PRF split, so I'm glad to have you correct me.

I ultimately went with per-AEAD recommendations, and a lower limit for CCM.  That's mainly to establish some sort of uniformity around 2^-60 and 2^-57.  Even if those are basically arbitrary choices, at least I think they are defensible and using them uniformly establishes the right expectations about what the standard is.

I'm comfortable with specifying different limits for each AEAD in specifications.  In practice, however, I expect that a far lower tolerance for forgery attempts.

Assuming that these numbers work out, a review of the pull request would be greatly appreciated.  If there are other relevant papers, I'm always happy to pull those in as well.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: