Re: [quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)

ekr <> Tue, 19 May 2020 01:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81CE13A0FB7 for <>; Mon, 18 May 2020 18:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.153
X-Spam-Status: No, score=-0.153 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_16=1.048, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9w-c_1tG7ykE for <>; Mon, 18 May 2020 18:17:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E0E13A0FB6 for <>; Mon, 18 May 2020 18:17:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 70DEB960657 for <>; Mon, 18 May 2020 18:17:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1589851030; bh=/ro5a/F8wNrogNtjN6jnlf+1kqtRvQcU5FMLvQOfEYw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=MfbyD5TLZnBXZ6q9PQirvOfn5Qip/ZSb/YHJ+YHcbM5guExGtpjjM9oPmkMSawA7Y xjLXfYzRylG4ciZG8De968nf/+g8+VjmmxjIBYOloLIZQ17UficFBozIKYYfGG0Kph C7hwXH5LJZU4lNH83x9WlxOj5HkxJdA/tp+Xi9Uk=
Date: Mon, 18 May 2020 18:17:10 -0700
From: ekr <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3661/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ec33396628bf_5fad3fe3128cd9649444d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ekr
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 May 2020 01:17:13 -0000

I think where TLS is going to land is with no change, because the nonce includes the full epoch. I have the same intuitions as you, but as you say they aren't formal. 

With that said, as you observed in our call today, it seems like there is an easy fix: both AES_GCM and ChaCha20/Poly1305 take a 96-bit nonce which we are just left-padding with 0s. If we are willing to restrict to <2^32 key changes, we could encode the epoch in those 0s, right?

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: