Return-Path: X-Original-To: tls@ietfa.amsl.com Delivered-To: tls@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F7212D7AE for ; Mon, 15 Aug 2016 16:46:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.92 X-Spam-Level: X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmDYXpdT8w01 for ; Mon, 15 Aug 2016 16:46:29 -0700 (PDT) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20061.outbound.protection.outlook.com [40.107.2.61]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4BE712D7AC for ; Mon, 15 Aug 2016 16:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=b1HLBnW5RN7ANUyWNySrCTg0ZvdpY12u2QUTJ+ZcxDA=; b=3reG2Vk41YtdvelxPYSdDPdgPq4XyBjLcw3DL3vuQikTr+C/Nx9R/B6EzfvQuBKicQawRlbkPQKsNt5/vHM4ELwzczQAOt6yRAdoMIlLcyhnw3QPC9QZzATRM7N86yzLLeXcKijDyz6/5SorbdChaLzlrPHZDJhfZ95JsMr1PFA= Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.15; Mon, 15 Aug 2016 23:46:25 +0000 Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0549.026; Mon, 15 Aug 2016 23:46:25 +0000 From: "Paterson, Kenny" To: Watson Ladd Thread-Topic: [TLS] Randomization of nonces Thread-Index: AQHR905nuk1eL7qDL0+R8CMs1lZU36BKr9vY Date: Mon, 15 Aug 2016 23:46:25 +0000 Message-ID: <719DD3BC-83DD-4304-9C00-B72715A0FDA2@rhul.ac.uk> References: , In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk; x-originating-ip: [169.231.115.42] x-ms-office365-filtering-correlation-id: 7dde8a55-bf41-4a60-c459-08d3c5665eac x-microsoft-exchange-diagnostics: 1; VI1PR03MB1822; 6:hN2OOlE72jis1tQzEvFN3m1gAp5CvTxGJdvcX2wb3FrB5prRenphYMcFXUW/sN8cgilOrHnV+eORMIn0PlHbYZdZtjnlHx4rQKGMgKZ1gDRR4gojUNbjbOO2IQ47N1+3ujngMJZrDqJOLcrb2TSxEA3wa2tCMdtfH7MM0S5rnc3GaxhaHED/RtpD7IIqZ47R/P0XKY0bHV7h3bOU2BXVUDuXSwy20kurq9DLvHcPhFpyImjBu7dSER5COBAlQRKb6Vvh0kAATQRXY9qW7Meptva+UK+a17tYn6nLppt3iAE=; 5:h2GjF2+PFiFK2b3aRRk8DVbWTKwDWWqG1ZPuXukJKIftpzxvqW13IonO/m8ud9pgYI0mra6g9i7FedJeLQovot6q96WG+tpgXXxRTtjj4/wwhXG893uN9eg1FirYt48rgI4PxF4H0oKXq9Qgg/fc1g==; 24:6ZGyln5YhXQeRaWFxDRUT8+lGoW4hx6y0RHB9pxR6D8rcgeX4MN6Qn6t7f1L7teI7RFjP3qCq2t8uHp2osTkY1jQhVqA4h/zFO1FhcZfzgY=; 7:89ezn0NNCPuyx042zi6r/NGojMmvnTwbjYqo5q5sH8tDvJaCFyqMU8K9BOLqfvTtsuXUDjuMAzGGSDOwaGxyxE/B01Jroj12cCz0VQhzqsesQDLGbhV7Y3U8YQphnUSKz4RqHp1sZkJqQS4m0w01Qx0dkgmscOn8zgPSPr9f8jcrrBwi6WwiKVbvyUUhShYbIjjQ+rXZ80XJvlVRNecV4hQhIH2A5PHuEo3awJRrsEoYWqBE0lOT3p0TcEqRn82h x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1822; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(266576461109395); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:VI1PR03MB1822; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1822; x-forefront-prvs: 0035B15214 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(24454002)(189002)(199003)(7736002)(86362001)(81156014)(6116002)(2906002)(87936001)(101416001)(2950100001)(33656002)(3846002)(76176999)(7906003)(19580405001)(50986999)(8676002)(11100500001)(83716003)(92566002)(7846002)(66066001)(82746002)(54356999)(122556002)(81166006)(10400500002)(5002640100001)(1411001)(4326007)(74482002)(586003)(77096005)(189998001)(93886004)(3660700001)(102836003)(106356001)(106116001)(105586002)(3280700002)(19580395003)(2900100001)(19617315012)(97736004)(36756003)(110136002)(16236675004)(68736007)(8936002)(15975445007)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1822; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_719DD3BC83DD43049C00B72715A0FDA2rhulacuk_" MIME-Version: 1.0 X-OriginatorOrg: rhul.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2016 23:46:25.3857 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1822 Archived-At: Cc: "tls@ietf.org" Subject: Re: [TLS] Randomization of nonces X-BeenThere: tls@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2016 23:46:31 -0000 --_000_719DD3BC83DD43049C00B72715A0FDA2rhulacuk_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sadly, you can't implement XGCM using an existing AES-GCM API, because of t= he way the MAC (which is keyed) is computed over the ciphertext in the stan= dard GCM scheme. This does not contradict what you wrote, but may be a barrier to adoption. Cheers Kenny On 15 Aug 2016, at 16:40, Watson Ladd > wrote: Dear TLS list, Sitting in Santa Barbara I have just learned that our nonce randomization d= oes slightly better then GCM in the multiuser setting. However, XGCM would = produce even better security. XGCM is GCM with masking applied to blocks before and after each encryption= . It can be implemented on top counter mode and GHASH easily. As an alternative we could use 256 bit keys. Sincerely, Watson Ladd _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls --_000_719DD3BC83DD43049C00B72715A0FDA2rhulacuk_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Sadly, you can't implement XGCM using an existing AES-GCM API, because= of the way the MAC (which is keyed) is computed over the ciphertext in the= standard GCM scheme. 

This does not contradict what you wrote, but may be a barrier to adopt= ion. 

Cheers

Kenny

On 15 Aug 2016, at 16:40, Watson Ladd <watsonbladd@gmail.com> wrote:

Dear TLS list,
Sitting in Santa Barbara I have just learned that our nonce randomization d= oes slightly better then GCM in the multiuser setting. However, XGCM would = produce even better security.

XGCM is GCM with masking applied to blocks before and after = each encryption. It can be implemented on top counter mode and GHASH easily= .

As an alternative we could use 256 bit keys.

Sincerely,
Watson Ladd

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.iet= f.org/mailman/listinfo/tls
--_000_719DD3BC83DD43049C00B72715A0FDA2rhulacuk_--