Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

[Atul Luykx <Atul.Luykx@esat.kuleuven.be>]

Hey David,

On 2016-07-19 11:58, David McGrew wrote:
> HI Atul,
> 
>> On Jul 19, 2016, at 2:26 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be> 
>> wrote:
>> 
>>> What is especially cool about counter mode encryption is how its real
>>> world security degrades more gracefully than CBC mode encryption.  I
>>> am not sure that the FSE paper did a good job of saying it in English
>>> as opposed to math (except for the last sentence of Section 4), but
>>> even though CTR may be just as distinguishable as CBC after some
>>> amount of known plaintext is encrypted, counter mode in practice 
>>> gives
>>> away much less information.
>> 
>> Just to be precise, no attack has been found which illustrates that 
>> CTR mode's security degrades like CBC’s.
> 
> I either don’t understand the sentence, or I disagree with it.  Both
> CTR and CBC are only secure up to the birthday bound, and are
> distinguishable at or beyond that bound.
> 

Sounds good; I was just clarifying the possibility that CTR could be as 
vulnerable as CBC beyond the birthday bound in practice, addressing the 
following sentence:
>> counter mode in practice gives away much less information.
But you're right, I wasn't very clear.


>> Nevertheless, it might be possible to formalize your intuition.
>> 
> 
> Agreed, and what is needed is a measure of the expected amount of
> information an attacker has about the (unknown) target plaintext,
> which would be larger in the CBC case than the CTR case.   This is
> interesting, but of course, we should stick with the standard
> definition of indistinguishability as our security criterion.
> 
> Hope this doesn’t sound like nit picking; I just want to make sure
> that no one thinks I am suggesting that it is OK to use encryption
> systems that are distinguishable.
> 
> best,
> 
> David
> 
>> Atul