AEAD encryption limitations #1368
alexanderzjs
started this conversation in
General
Replies: 1 comment 1 reply
-
|
Scroll down the page :) This document is still a work in progress, but is going to be very helpful to understand usage limits. The bounds for AES-GCM are very low. This is fine in the context of TLS that caps messages to 16KB and does rekeying, but it can't safely be used as a general-purpose AEAD. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I am not sure if I missed something. I cannot get the 350GB max bytes for AES-GCM for a single key. Would you please explain a little bit on this? Thanks! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi, All,
In https://doc.libsodium.org/secret-key_cryptography/aead, AES256-GCM, Chacha20-Poly1305 and XChacha20-Poly1305 limitations for single key (same nonce and random nonce, single message and multiple messages). Would you mind to let me know the rationales for the limitations?
For example, in NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, the bound seems to be 2^{32} invocations per (key, IV) pair. In the gitbook, 350GB is the limit for AES-GCM. How to compute 350GB?
Thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions