I wanted to explain that on my final slide but then ran over time. It is discussed in the paper, though. Sorry for the confusion.
Best, Bjoern > On Aug 15, 2016, at 4:46 PM, Paterson, Kenny <kenny.pater...@rhul.ac.uk> > wrote: > > Sadly, you can't implement XGCM using an existing AES-GCM API, because of the > way the MAC (which is keyed) is computed over the ciphertext in the standard > GCM scheme. > > This does not contradict what you wrote, but may be a barrier to adoption. > > Cheers > > Kenny > > On 15 Aug 2016, at 16:40, Watson Ladd <watsonbl...@gmail.com> wrote: > >> Dear TLS list, >> Sitting in Santa Barbara I have just learned that our nonce randomization >> does slightly better then GCM in the multiuser setting. However, XGCM would >> produce even better security. >> >> XGCM is GCM with masking applied to blocks before and after each encryption. >> It can be implemented on top counter mode and GHASH easily. >> >> As an alternative we could use 256 bit keys. >> >> Sincerely, >> Watson Ladd >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
