On 2016-08-16 07:51, Watson Ladd wrote:
On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson
wrote:
On 16 August 2016 at 09:46, Paterson, Kenny
wrote:
Sadly, you can't implement XGCM using an existing AES-GCM API,
because of
the way the MAC (which is keyed) is computed over the ciphertext in
the
On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson
wrote:
> On 16 August 2016 at 09:46, Paterson, Kenny wrote:
>> Sadly, you can't implement XGCM using an existing AES-GCM API, because of
>> the way the MAC (which is keyed) is computed over the ciphertext in the
>> standard GCM scheme.
>
>
> Is ther
Right now I see no reason for this not to work. In fact if you XOR the
tag as well, then every block cipher call looks similar to a DESX call,
like in XCAU.
Atul
On 2016-08-15 21:56, Martin Thomson wrote:
On 16 August 2016 at 09:46, Paterson, Kenny
wrote:
Sadly, you can't implement XGCM usin
On 16 August 2016 at 09:46, Paterson, Kenny wrote:
> Sadly, you can't implement XGCM using an existing AES-GCM API, because of
> the way the MAC (which is keyed) is computed over the ciphertext in the
> standard GCM scheme.
Is there a reason why you can't simply XOR the plaintext stream that
is
I wanted to explain that on my final slide but then ran over time. It is
discussed in the paper, though. Sorry for the confusion.
Best,
Bjoern
> On Aug 15, 2016, at 4:46 PM, Paterson, Kenny
> wrote:
>
> Sadly, you can't implement XGCM using an existing AES-GCM API, because of the
> way the
That's https://eprint.iacr.org/2016/564 for those who'd like to see the
research (Mihir Bellare and Björn Tackmann).
Bodo
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
Sadly, you can't implement XGCM using an existing AES-GCM API, because of the
way the MAC (which is keyed) is computed over the ciphertext in the standard
GCM scheme.
This does not contradict what you wrote, but may be a barrier to adoption.
Cheers
Kenny
On 15 Aug 2016, at 16:40, Watson Ladd
Dear TLS list,
Sitting in Santa Barbara I have just learned that our nonce randomization
does slightly better then GCM in the multiuser setting. However, XGCM would
produce even better security.
XGCM is GCM with masking applied to blocks before and after each
encryption. It can be implemented on t
