Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AEAD limits for larger packets #4175

Merged
merged 4 commits into from
Oct 15, 2020
Merged

Conversation

martinthomson
Copy link
Member

The analysis describes conditions where higher limits might be allowed, and provides a formula in each case that can be used to determine other limits more readily.

The number of changes I've made here are somewhat frightening. This is why I resisted doing this. This will need careful double-checking. I think that this is better, but I'm not sure that I feel happy about having spent the time.

The actual numbers don't concern me much, anyone can subtract 2, but the changes to the structure really need to be looked at. Some of the changes are editorial, but they still need extra eyes.

Closes #3701.

The analysis describes conditions where higher limits might be allowed,
and provides a formula in each case that can be used to determine other
limits more readily.

The number of changes I've made here are somewhat frightening.  This is
why I resisted doing this.  This will need careful double-checking.

The actual numbers don't concern me much, it's the changes to the
structure that need to be looked at.  Some of the changes are editorial,
but they still need extra eyes.

Closes #3701.
@martinthomson martinthomson added design An issue that affects the design of the protocol; resolution requires consensus. -tls labels Oct 2, 2020
@chris-wood
Copy link
Contributor

cc @fxguenther

Copy link
Contributor

@DavidSchinazi DavidSchinazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is exactly what I was hoping for, thanks for writing it. As far as I can tell, it's correct. It also fully addresses my concerns from #3701.

Copy link
Contributor

@chris-wood chris-wood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @martinthomson! I checked the derivations and produced the same results.

Copy link
Contributor

@MikeBishop MikeBishop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actual analysis is beyond my scope, but the text looks good.

keys without causing an attacker to gain a larger advantage than the target of
2^-57. Note however that the integrity limits further constrain this value.
The integrity limit in Theorem 1 in {{?CCM-ANALYSIS}} provides an attacker a
strictly higher advantage for the same number of messages. As the targets
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
strictly higher advantage for the same number of messages. As the targets
strictly higher advantage for the same number of messages. As the target

Or "targeted"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to say that the "value of the goal" is the same. I think that this is correct.

I think that you might say "target advantages for A and B", but I think that "advantages" means something else and so I avoided the plural.

Maybe instead "As the target for both the confidentiality advantage and integrity advantage is the same, ..." ?

My grammar skillz aren't up to this, clearly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or plural works in that last arrangement, so "As the targets for the confidentiality advantage and the integrity advantage are the same...." I think any of them are fine, so long as they agree in number. What stuck out to me was "targets advantage" more than anything else.

@@ -2337,18 +2352,19 @@ distinguishing advantage between a real and random AEAD algorithm gained by an
attacker is:

~~~
2 * (q * l)^2 / 2^128
2 * (q * l)^2 / 2^n
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forgot to call this out. @chris-wood, can you check that this is right here? I think that this comes from the \sigma*B/2^n term in Bad3 in the paper, but I want to make sure that my understanding is correct in that we are treating \sigma*B as \sigma^2 in the single-user case.

Copy link
Contributor

@janaiyengar janaiyengar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor points.

draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
draft-ietf-quic-tls.md Outdated Show resolved Hide resolved
martinthomson and others added 2 commits October 16, 2020 10:20
wrapping needed...

Co-authored-by: Jana Iyengar <[email protected]>
@martinthomson martinthomson merged commit bf5c397 into master Oct 15, 2020
@martinthomson martinthomson deleted the large-packet-limits branch October 15, 2020 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
-tls design An issue that affects the design of the protocol; resolution requires consensus.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

The QUIC-TLS draft should define anti-forgery limits for packet lengths up to 2^16
5 participants