[TLS] Collision issue in ciphertexts.

"Dang, Quynh" <quynh.dang@nist.gov> Mon, 02 November 2015 07:14 UTC

From: "Dang, Quynh" <quynh.dang@nist.gov>
To: Eric Rescorla <ekr@rtfm.com>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: Collision issue in ciphertexts.
Thread-Index: AQHRFT3/uhvieo6mr0iE/9qPshn2sQ==
Date: Mon, 02 Nov 2015 07:13:39 +0000
Message-ID: <BN1PR09MB124321AF53FE4EB4F47AFE9F32C0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <CABcZeBODjk8rapgbNTST8bmFFVzKqB4tJyrvje-CTgk1=gfqFw@mail.gmail.com> <CABkgnnV+QrjcXJdZwwAGW-SpX0Z0_JroEVT-kMJgUAVe7DDQUw@mail.gmail.com> <CABcZeBOrL=TosONYfM_QPPYfT5N4VH7yR4hFw3Qt8W4V0uznkw@mail.gmail.com> <CABkgnnXis0mwqcsd1D0S61kqL6kvq9=ZU0BRbwbLH7Jesj0Y-w@mail.gmail.com> <CABcZeBNpV3uqOF4YohiCrtq03hR7LPnPGdny6yWB+zysVufiqA@mail.gmail.com> <CABkgnnWVJeeBuMitweCj=nOSB5cA-R-6btdQeWp0Bdnomd2XtQ@mail.gmail.com> <CAMfhd9V4WVxKbJh6KkNdVFGBGKh=tG5kC_7sPthOwhrrUi5eoQ@mail.gmail.com> <CABcZeBOc_9i83j4rjxve8PuBPWdd8eCVN2wQth3G0=T_xz1UKg@mail.gmail.com> <811734cd29d64adc98c5388870611575@XCH-ALN-004.cisco.com> <CABcZeBNZJkrVsA9UEN-ywpzUOZy4wJ=2=QDg-KhjNUCvMKi=HA@mail.gmail.com>, <CABcZeBNOJNwL9Akbhnpd2fg8rk80BNYRkODRpqDb9nk2K_m1mg@mail.gmail.com>
In-Reply-To: <CABcZeBNOJNwL9Akbhnpd2fg8rk80BNYRkODRpqDb9nk2K_m1mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN1PR09MB124321AF53FE4EB4F47AFE9F32C0BN1PR09MB124namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2015 07:13:39.9265 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C4JgfKD4ZcDtFfpVIg2nZwnlxBc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Collision issue in ciphertexts.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 07:14:05 -0000

Hi Eric,


As you asked the question about how many ciphertext blocks should be safe under a single key, I think it is safe to have 2^96 blocks under a given key if the IV (counter) is 96 bits.


When there is a collision between two ciphertext blocks when two different counter values are used , the chance of the same plaintext was used twice is 1^128.  Collisions start to happen a lot when the number of ciphertext blocks are above 2^64. However, each collision just reveals that the corresponding plaintext blocks are probably different ones.



Quynh.

[TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Colm MacCárthaigh
Re: [TLS] Version in record MAC David Benjamin
Re: [TLS] Version in record MAC Martin Thomson
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Martin Thomson
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Martin Thomson
Re: [TLS] Version in record MAC Russ Housley
Re: [TLS] Version in record MAC Adam Langley
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC David McGrew (mcgrew)
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Ilari Liusvaara
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Adam Langley
Re: [TLS] Version in record MAC Eric Rescorla
Re: [TLS] Version in record MAC Eric Rescorla
[TLS] Collision issue in ciphertexts. Dang, Quynh
Re: [TLS] [Cfrg] Collision issue in ciphertexts. Watson Ladd
Re: [TLS] [Cfrg] Collision issue in ciphertexts. Dang, Quynh
[TLS] Data limit for GCM under a given key. Dang, Quynh
Re: [TLS] Data limit for GCM under a given key. Watson Ladd
Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
Re: [TLS] Data limit for GCM under a given key. Watson Ladd
Re: [TLS] Data limit for GCM under a given key. Tony Arcieri
Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
Re: [TLS] Data limit for GCM under a given key. Yoav Nir
Re: [TLS] Data limit for GCM under a given key. Dave Garrett
Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
Re: [TLS] Data limit for GCM under a given key. Dave Garrett
Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
Re: [TLS] Data limit for GCM under a given key. Quynh Dang
Re: [TLS] Data limit for GCM under a given key. Yoav Nir