Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

David McGrew <> Tue, 19 July 2016 10:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7975112DB7F for <>; Tue, 19 Jul 2016 03:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.808
X-Spam-Status: No, score=-15.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QLf_C7NKMqf5 for <>; Tue, 19 Jul 2016 03:03:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E9C2F12DC4F for <>; Tue, 19 Jul 2016 02:58:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1522; q=dns/txt; s=iport; t=1468922335; x=1470131935; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=t0mTDiQ/d8Pg2XGqT6GslBBpvUADr/wWc4RyVQMubRk=; b=kknalgjZFJ9V4t04W40d3I8M76ynqN5hzdegPNYDthosXfNgGrhT+Jtx VIbjPJOUOuoxM79wTecf5fFupFiSBkJTVDQrZkfHHLoxUTvSoEr7pDcRo 8lBnLtmfRHGYUjpHvgV3IpSJ6opFcGgyUnJumZ72bfHu2j7WHu1aYFAWg Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D7BQCT+I1X/4ENJK1cgz+BUrhlgXqGG?= =?us-ascii?q?gKBMjoSAQEBAQEBAWUnhFwBAQQBI1YFCwsYAgImAgJXBhOIKAiucY4OAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBAQEBAQEBHIEBhyGCVYRAgwErgi8FmSSOYo83kB4lAS6CCxyBa?= =?us-ascii?q?CAyAYgPAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,389,1464652800"; d="scan'208";a="127436220"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Jul 2016 09:58:55 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u6J9ws2R024187 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Jul 2016 09:58:54 GMT
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: David McGrew <>
In-Reply-To: <>
Date: Tue, 19 Jul 2016 05:58:54 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Atul Luykx <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jul 2016 10:03:36 -0000

HI Atul,

> On Jul 19, 2016, at 2:26 AM, Atul Luykx <> wrote:
>> What is especially cool about counter mode encryption is how its real
>> world security degrades more gracefully than CBC mode encryption.  I
>> am not sure that the FSE paper did a good job of saying it in English
>> as opposed to math (except for the last sentence of Section 4), but
>> even though CTR may be just as distinguishable as CBC after some
>> amount of known plaintext is encrypted, counter mode in practice gives
>> away much less information.
> Just to be precise, no attack has been found which illustrates that CTR mode's security degrades like CBC’s.

I either don’t understand the sentence, or I disagree with it.  Both CTR and CBC are only secure up to the birthday bound, and are distinguishable at or beyond that bound.   

> Nevertheless, it might be possible to formalize your intuition.

Agreed, and what is needed is a measure of the expected amount of information an attacker has about the (unknown) target plaintext, which would be larger in the CBC case than the CTR case.   This is interesting, but of course, we should stick with the standard definition of indistinguishability as our security criterion.

Hope this doesn’t sound like nit picking; I just want to make sure that no one thinks I am suggesting that it is OK to use encryption systems that are distinguishable.



> Atul