Open NeilMadden opened 5 months ago
Thank you for the report. We agree that this is badly formulated, though we think it's unspecific enough that it is not simply wrong. Clearly there is a lot of room for improvement here, but we don't know if we will get to this soon unfortunately :( We will leave this open though, it really should be improved and I hope someone gets to it.
Describe the bug:
Apologies, I couldn’t find a direct way to report documentation bugs.
The documentation for the
AEAD
primitive states for AES-GCM-SIV:This (“a large amount of messages”) is only true in the MRAE security game, not in the normal nonce-based AEAD security game. AES-GCM-SIV has a 96-bit nonce, and so has the same bounds as AES-GCM regarding number of messages that can be encrypted before nonce reuse becomes likely. In the face of nonce-reuse, AES-GCM-SIV doesn’t achieve IND-CPA security, so doesn’t meet the security goals of the
Aead
interface in Tink. See this SE question and answer for some more details: https://crypto.stackexchange.com/questions/102334/beyond-birthday-bound-security-in-aes-gcm-siv