Subject: Re: FUD about CGD and GBDE
To: None <>
From: Warner Losh <>
List: tech-security
Date: 03/03/2005 10:54:42
> For instance, the NIST specification for AES and CCM mode (NIST Special 
> Publication 800-38C) specifically states that you must limit the number 
> of invocations of the block cipher (specifically AES) to 2^61.  Now, I 
> realize that is an upper bound.  But even after removing several orders 
> of magnitude, that leaves a huge amount of material you can encrypt with 
> a single key.

phk's point is that encrypting ~2^10 bytes of data with the same key
is better than encrypting ~2^40 bytes.  While there may be theoretical
reasons to believe that you can get away with much more than 2^9, the
whole history of crypto is filled with examples of coding systems,
once believed to be secure, that were broken because the same key was
used for a lot of traffic.  phk's fundamental point isn't that you
can't get away with encrypting large amounts of data, in theory, but
rather that it is more conservative to do less.  Both from the point
of view of this history and also from the point of view of amount of
data that's disclosed should one key be recovered.

Others have a differing point of view.  History is also littered with
strongly held views that turned out to be wrong.  Time will tell if
either or both of these views is good or not.