On 16 August 2016 at 09:46, Paterson, Kenny <kenny.pater...@rhul.ac.uk> wrote: > Sadly, you can't implement XGCM using an existing AES-GCM API, because of > the way the MAC (which is keyed) is computed over the ciphertext in the > standard GCM scheme.
Is there a reason why you can't simply XOR the plaintext stream that is fed to AES-GCM? We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows improves things. If we also set P = P XOR repeat(HKDF(IKM, salt, label[P], 16)) would we gain any of the advantages of XCAU? That change could be made without needing a new algorithm. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
