Redefine 'l', 'limit_q', and 'limit_v' specifically for OSCORE

[rikard-sics]

Based on feedback from John during the CoRE interim on April 28.

Currently we are using l = 2^10, dropping that to 2^8 may be beneficial.

Furthermore we can define set values for 'limit_q' and 'limit_v', not relying on the CFRG document.

For instance setting an overall value for 'limit_q' to 2^20 (which is lower than all the calculated limits for q we have currently).

As long as we reduce values, like reducing the size of l and the size of 'limit_q' things should be easy to motivate as we are erring more on the side of caution.

When it comes to redefining 'limit_v' we actually want to increase this value and here is where we need a good motivation. We can start a discussion on the mailing list based on the figures John presented. He also promised to contribute material in the form of a PR to the draft.

[rikard-sics]

After further discussions we can use l = 2^8, q = 2^20 and v = 2^20, also considering the material presented by John during a SAAG meeting. See https://datatracker.ietf.org/meeting/110/materials/slides-110-saag-analysis-of-usage-limits-of-aead-algorithms-00.pdf

This can mean that we use the formulas for calculating IA and CA from the CFRG document with these values and show that the resulting probabilities are safe (<2^-64).

[rikard-sics]

Double check calculations in the table, especially for AES CCM 8 with John.

[rikard-sics]

We have our own calculated probabilities now.

Any further diverging from what the CRFG document says need strong motivation. Further discussion with John is already another issue in https://github.com/core-wg/oscore-key-limits/issues/2