|
|
|
|
|
|
by sdevlin
3583 days ago
|
|
|
I don't think their bound is related to nonce-management issues. From the documentation: > The GCM security limit is 2^56 bytes because: > This is 2^52 AES blocks (each block is 16 bytes). The limit is based on the risk of birthday collisions being used to rule out plaintext guesses. The probability an attacker could rule out a random guess on a 2^56 byte plaintext is less than 1 in 1 million (roughly (2^52 * 2^52) / 2^128). |
|
|
(Clarified offline: I'm thinking of the 32 bit counter in GCM, which will wrap in tens of gigabytes worth of bytes under a single nonce. Not a TLS issue, a concern for custom protocols.)