Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)

Martin Thomson <> Fri, 08 May 2020 01:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 286E73A0ADA for <>; Thu, 7 May 2020 18:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.096
X-Spam-Status: No, score=-3.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oMRyLNHyxUL0 for <>; Thu, 7 May 2020 18:37:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B82BC3A0AD7 for <>; Thu, 7 May 2020 18:37:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E1DFDE0DBE for <>; Thu, 7 May 2020 18:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1588901829; bh=ZepofQ0gpQlNgqem/p7bm5TEkJuoI/APj6ZvnUJ3+2A=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=OuW0mFEE5x0USSWRhNxVhxZC9zQvl9yGofvHXj+714MBdymQT36/R5Y4IPJLyRcdF OGJq6OKk4iYdbkKv3c7K0jyaiTils5Y0sAh85pXeetEocxhzjbRxvZuUop3cckN6vq ZpLCqSFqFEt4GXaZ1F1lfaArJ/z54M19rKDzIj+Y=
Date: Thu, 07 May 2020 18:37:09 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3619/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb4b7c5d05f4_74e33fb8958cd95c828fc"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 May 2020 01:37:12 -0000

@chris-wood points out an error in my calculation.  I had based my calculations on direct mapping of `l[E]` in the CCM analysis to `l` in our calculations.  That is, `l` was the number of blocks in the message.  But the analysis by Jonsson defines this as:


The definition of \Beta is the CCM function, so this function really reduces to 2 times the length of the message (in blocks), plus 1 (to account for the additional encryption).  We can ignore the extra 1 as that is absorbed by the tag length.

I'm updating the numbers in the PR.  The result is another halving of the number of packets.  @fxguenther, @ad-l, it's pretty clear that I'm out of my depth here, so your input would be highly valued.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: