Right now I see no reason for this not to work. In fact if you XOR the
tag as well, then every block cipher call looks similar to a DESX call,
like in XCAU.
Atul
On 2016-08-15 21:56, Martin Thomson wrote:
On 16 August 2016 at 09:46, Paterson, Kenny <kenny.pater...@rhul.ac.uk>
wrote:
Sadly, you can't implement XGCM using an existing AES-GCM API, because
of
the way the MAC (which is keyed) is computed over the ciphertext in
the
standard GCM scheme.
Is there a reason why you can't simply XOR the plaintext stream that
is fed to AES-GCM?
We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows
improves things. If we also set P = P XOR repeat(HKDF(IKM, salt,
label[P], 16)) would we gain any of the advantages of XCAU? That
change could be made without needing a new algorithm.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
