core-wg / oscore-key-limits

Other
0 stars 0 forks source link

Latest feedback from John on the limits and probabilities #2

Open rikard-sics opened 2 years ago

rikard-sics commented 2 years ago

Got the feedback below from John via mail. We should take it into account for future versions.

These probabilities must be acceptably low

I don’t think this is true. The advantage per key is a quite useless measure for security protocols/use cases with several keys and maybe ever several connections. Keeping these probabilities low does not increase security when advantage functions are linear.

I would not talk so much of the CA IA probabilities per key on slide 4-5. These are not very relevant measures for OSCORE, especially not OSCORE with rekeying. A relevant measure instead of IA per key would be forgery probability per forgery attempt (or perharps per number of byte sent.)

rikard-sics commented 1 year ago

I think we need more discussions with John to resolve this