Sadly, you can't implement XGCM using an existing AES-GCM API, because of the way the MAC (which is keyed) is computed over the ciphertext in the standard GCM scheme.
This does not contradict what you wrote, but may be a barrier to adoption. Cheers Kenny On 15 Aug 2016, at 16:40, Watson Ladd <watsonbl...@gmail.com<mailto:watsonbl...@gmail.com>> wrote: Dear TLS list, Sitting in Santa Barbara I have just learned that our nonce randomization does slightly better then GCM in the multiuser setting. However, XGCM would produce even better security. XGCM is GCM with masking applied to blocks before and after each encryption. It can be implemented on top counter mode and GHASH easily. As an alternative we could use 256 bit keys. Sincerely, Watson Ladd _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
