Re: Counter Mode Security: Analysis and Recommendations

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:

 Stephen> Ted, I concur with your analysis re the storage requirements
 Stephen> for this attack, and how daunting they seem. This strikes me
 Stephen> as the sort of attack that I would protect against if it
 Stephen> cost almost nothing, but as we see, it does have a cost,
 Stephen> e.g., in terms of extra storage for additional per-SA state
 Stephen> for the added bits, or in terms of using bigger AES keys,
 Stephen> with attendant increases in the number of rounds and the key
 Stephen> state size. Also there are costs to vendors in supporting
 Stephen> the additional key sizes and numbers of rounds.

Agreed on increasing key sizes.  But I don't agree for the case where
128-bit keys and a 64-bit random number are used.  Yes, that increases
the per-SA state by 8 bytes.  And yes, that cost is "almost nothing".

    paul