I did some analysis of Theorem 3.1 in the GCM MU paper.
The difference is small. Theorem 3.1 adds σ/2^128 to the advantage.
Theorem 4.3 adds 1/2^48 to the advantage.
The difference is felt when σ gets large, then nonce randomization
gets better. It's not as small a value as I had expected (2^80 is a
LARGE number) based on the original Bellare/Tackmann work, but it's
there.
I restored the constant factor from the second term to the equations.
I tried a few things, but forcing a minimum on B seemed like it would be safest.
I did some analysis of Theorem 3.1 in the GCM MU paper.
The difference is small. Theorem 3.1 adds
σ/2^128to the advantage. Theorem 4.3 adds1/2^48to the advantage.The difference is felt when
σgets large, then nonce randomization gets better. It's not as small a value as I had expected (2^80 is a LARGE number) based on the original Bellare/Tackmann work, but it's there.I restored the constant factor from the second term to the equations.
I tried a few things, but forcing a minimum on B seemed like it would be safest.
This is for yaronf/I-D#203.