On 2016-08-16 07:51, Watson Ladd wrote:
On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson
<martin.thom...@gmail.com> wrote:
On 16 August 2016 at 09:46, Paterson, Kenny
<kenny.pater...@rhul.ac.uk> wrote:
Sadly, you can't implement XGCM using an existing AES-GCM API,
because of
the way the MAC (which is keyed) is computed over the ciphertext in
the
standard GCM scheme.
Is there a reason why you can't simply XOR the plaintext stream that
is fed to AES-GCM?
We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows
improves things. If we also set P = P XOR repeat(HKDF(IKM, salt,
label[P], 16)) would we gain any of the advantages of XCAU? That
change could be made without needing a new algorithm.
Yes. XOR two adjacent blocks, and you get something that is a function
purely of the key.
This is true if N XOR L is made public (where L is the secret value). As
long as N XOR L is only used for encryption, and N is the value
communicated, then it isn't possible to get a function purely of the key
by XORing two adjacent ciphertext blocks, since the block cipher inputs
will depend on L.
Atul
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
