diff options
| -rw-r--r-- | noise.md | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -1348,6 +1348,12 @@ The authentication tag is 128 bits because: can receive rapid feedback on whether MAC guesses are correct. * A single fixed length is simpler than supporting variable-length tags. +The GCM security limit is 2^56 bytes because: + * This is 2^52 AES blocks (each block is 16 bytes). The limit is based on + the risk of birthday collisions being used to rule out plaintext guesses. + The probability an attacker could rule out a random guess on a 2^56 byte + plaintext is less than 1 in 1 million (roughly ((2^52)^2) / 2^128). + Big-endian is preferred because: * Any Noise length fields are likely to be handled by |