Re: [TLS] Data Volume Limits Analysis

Eric Rescorla <> Sun, 20 March 2016 23:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F95712D643 for <>; Sun, 20 Mar 2016 16:41:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s3UjwwA3i3PK for <>; Sun, 20 Mar 2016 16:40:57 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A04012D555 for <>; Sun, 20 Mar 2016 16:40:57 -0700 (PDT)
Received: by with SMTP id g127so198381186ywf.2 for <>; Sun, 20 Mar 2016 16:40:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NLhTih6fzJ/LlHlLd8lO9o6XQg2b3GsXs60+M2lJ0SA=; b=NzcmGeobteQlj87qdpkTDvbaNOSGKzwFVoZL0PRPV6qlIn3Vs/PZVdD7QowrPI/4M2 4nUVrdhxz/aI0I4lOpaWj498jrLmiUYzNg0IbnaIUW5dkcdCzeqwLToW9/UQlMXyM2tB a7PhQxmUqfdZsgLk4H3e6B064lzXdAXbL+B1ArFPjduX37L+sn7h3G9eg+5n5Ac78dxb TJLhhgsqGosPqDmjCjKrOR1a0N2gBo2fwSl2AHUURxAajJMt0VVUTRXCRsJcfDNhpKPb CWk54/I3rHgI+5WDvJdXwLHfs0AKLSK3UhzYYJR/5XJh7Lqb75ftLNlI1AB5L56ab1/G mbig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NLhTih6fzJ/LlHlLd8lO9o6XQg2b3GsXs60+M2lJ0SA=; b=Igw8GLGL+16FbzcFN+KBbYSiLTtYl+1fdzS6lPZWDId9eNailqzdChhn92SaHDp/jR 6Dlwv0k4DAIIBkixJL2kF6E9vjrlcsG8q981MmaBjZ5sDUUn1qjM7HTdWPwx10Zv5rux zRBYy87AxN5rmAhKnL5hncq3TdRqPnXaJcV5Fxxl4tfwHQAjLws818nqXMsvIGDWyVyV oS2sZMF4VaQqdLemm9nxDJCdo2q+fBPGNtRLsbbKY4cfaEt1BToP90mVgds1Pbvos5Nl yuNPz6OTciartjTtUE2amFY9uwxDeZHeQt0Us5qs6NUvA6v0TYkpvA4KOP0b4H9ggl3X ZUMQ==
X-Gm-Message-State: AD7BkJKiA2TKu6660+FQ5Vm3a/NG0JOLkiqeHMtx9IhidAZ/ARW27E5oWQVtzXsA8wN0UbGw1alrebA39KD6qg==
X-Received: by with SMTP id t67mr12742861ybb.82.1458517256744; Sun, 20 Mar 2016 16:40:56 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 20 Mar 2016 16:40:17 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Eric Rescorla <>
Date: Sun, 20 Mar 2016 16:40:17 -0700
Message-ID: <>
To: aluykx <>
Content-Type: multipart/alternative; boundary=001a11423c44fce275052e838298
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Data Volume Limits Analysis
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Mar 2016 23:41:00 -0000

Atul, Kenny,

Thanks for doing this. My initial impression is that these results are
close to the line for AES-GCM, especially for the scenario where we have
keys: there are probably well upward of 2^{32} HTTPS connections a day.

 A few questions:

1. As I understand it, failure in these models is fairly catastrophic,
so I should be reading Table 1 as "chance of total collapse of
not "chance of being able to read one plaintext" value. Is that correct?

2. Are there available proofs for a non-chosen plaintext context? This seems
to bear on the multiple key question: it seems plausible that an attacker
capture a very large number of AES-GCM encrypted connections passively,
but collecting a huge number of AES-GCM connections where it gets to
specify the plaintexts seems more challenging, even with BEAST-style

3. Naively, from equation 5, it seems like as \sigma >> q you should be able
to encrypt rather more submaximal (e.g., 1K) records than maximal size

Finally, and this calls for an opinion: do you believe that given these
we should include a KeyUpdate feature in TLS 1.3?


On Tue, Mar 8, 2016 at 2:16 PM, aluykx <> wrote:

> Kenny Paterson and I prepared a document providing an overview of how much
> data ChaCha20+Poly1305 and AES-GCM can process with a single key. Besides
> summarizing the results, the document also gives an explanation of why the
> limits are there. The document confirms the analysis done by Watson and
> others in the thread on "Data Volume Limits", but goes into more detail.
> The document can be found on Kenny's website:
> Atul Luykx
> _______________________________________________
> TLS mailing list