Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)

Martin Thomson <> Mon, 04 May 2020 01:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D1E53A0B03 for <>; Sun, 3 May 2020 18:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.097
X-Spam-Status: No, score=-3.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jpuoRYfj54Kn for <>; Sun, 3 May 2020 18:49:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EEF743A0B00 for <>; Sun, 3 May 2020 18:49:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2495D8C08D7 for <>; Sun, 3 May 2020 18:49:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1588556974; bh=xBoI2/4hpLIlKtjbI17jzWkvySG2WjZBvMVS4oRnNLM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=XXkDzyJgVzYdoCFdQq7FLbnS1dOTNfgyq9BiRDDiDpMoFUsQONr7XcSW5vpJd0gBp DBJXHqBglELttAs88MFevV1VPYmlwZ7d+yQakoxQ/hRmqwckBOyNKfzEJfZJiiirkW VecUfxLzQEJcmM4BZF/RIIV7W5Y2+zcIdZAk7zm8=
Date: Sun, 03 May 2020 18:49:34 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3619/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eaf74ae13e9a_54aa3f9731ecd968648c8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 May 2020 01:49:38 -0000

Based on [this paper analysing CCM]( by Jonsson, I have calculated the bounds on the number of forgeries and encryptions for CCM.  The numbers aren't great, but that probably doesn't matter much for the purposes to which CCM is generally put.

(I'm using the notation from the [AEBounds paper]( here because that is easier to type than some of what is being used in other papers.  For reference, q is the number of genuine encryptions, l is the length of each in 16 byte blocks, v is the number of forgeries, n is the key length in bits, t is the tag length in bits.)

## Confidentiality

Jonsson puts the advantage an attacker has over a generic PRF at `(ql)^2/2^(n+1)`.

If we assume the same numbers in the AEBounds paper for record/packet size, `l=2^10` (this is for consistency, most QUIC packets will be much smaller, in the order of 2^7, but we might also go as high as 2^12; this being dictated by the MTU).  For AES, `n=2^128`.

To keep the advantage an attacker has to 2^-60 (to match the analysis in TLS), we therefore need to keep q to below 2^24.5.  Somewhat unsurprisingly, that matches the numbers we have for AES-GCM.

## Integrity

Jonsson puts the advantage for an attacker over a generic PRF at `v/2^t + (2^l*(v + q))^2/2^(n+1)`.  As the first term is negligible even for large v (up to 2^64), we consider the second term alone and aim for a bound on the advantage of 2^-57 to match the analysis for other ciphers.

That leaves us with `v+q <= 2^26`.  As q is already established to be 2^24.5, we can say that v should be limited to 2^25 (or `log2(2^26 - 2^24.5)` if you want to be precise).

(As a side note, for t=64, as in AEAD_AES_128_CCM_8, the first term becomes relevant and our security bound limits the number of forgeries to 2^7, which is probably a bit limiting in practice.  That's good justification for not enabling AEAD_AES_128_CCM_8 by default; though different applications might use a different target bound than 2^-57.)

## Caveat

I'm an not a cryptographer.  These papers all read like chicken-chicken-chicken.  My calculation

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: