Consider multi-user security implications

Question

Consider multi-user security implications

Closed this issue 5 years ago · 1 comments

Multi-user security [1,2,3] may affect the limits in this draft. [4] notes that, for AES-GCM, multi-user security limits which typically affect limits by a factor proportional to the number of users do not apply to TLS. This probably warrants further investigation for ChaCha20Poly1305 and AES-CCM. If we were to assume the folklore result (multiply the limit by \mu), the result would be that QUIC would not reset counters after re-key operations. Whether or not we do that may have big implications on the limits, especially since the re-key count is unbounded (as far as I can tell).

As an aside, DTLS encodes the epoch in a 16-bit field, so that probably caps it at 2^16 possible re-key events. Maybe we need something for QUIC?

[1] https://eprint.iacr.org/2016/564.pdf
[2] https://eprint.iacr.org/2018/993.pdf
[3] https://eprint.iacr.org/2017/435.pdf
[4] https://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf

Answer 1 · 2020-06-19T01:10:52.000Z

This was addressed by #15.