diff options
| author |   trevp <github@trevp.net> | 2016-02-18 16:09:00 -0800 |
|---|---|---|
| committer | trevp <github@trevp.net> | 2016-02-18 16:09:00 -0800 |
| commit | 859f2190559429e61f37a7075c1da5e313d775f7 (patch) | |
| tree | a3873699c0c3fd81282b54cfab5e4b3e0790bf23 | |
| parent | Rev 22, feedback from Tom (diff) | |
| download | noise-tom.tar.xz noise-tom.zip | |
Security considerationstom
| -rw-r--r-- | noise.md | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -1348,6 +1348,12 @@ The authentication tag is 128 bits because: can receive rapid feedback on whether MAC guesses are correct. * A single fixed length is simpler than supporting variable-length tags. +The GCM security limit is 2^56 bytes because: + * This is 2^52 AES blocks (each block is 16 bytes). The limit is based on + the risk of birthday collisions being used to rule out plaintext guesses. + The probability an attacker could rule out a random guess on a 2^56 byte + plaintext is less than 1 in 1 million (roughly ((2^52)^2) / 2^128). + Big-endian is preferred because: * Any Noise length fields are likely to be handled by |