Re: [TLS] Randomization of nonces

Björn Tackmann <btackmann@eng.ucsd.edu> Tue, 16 August 2016 00:34 UTC

Return-Path: <btackmann@eng.ucsd.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8651E12D5D8 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2016 17:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4bWoZA2Toz1 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2016 17:34:42 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055A812D1BC for <tls@ietf.org>; Mon, 15 Aug 2016 17:34:42 -0700 (PDT)
Received: by mail-pa0-x236.google.com with SMTP id fi15so20530494pac.1 for <tls@ietf.org>; Mon, 15 Aug 2016 17:34:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :references:in-reply-to:to; bh=hNf+XqcTeJVk49L4gI7MIXUkqxfEeDhZFnfcVHOEEGk=; b=f8J9SOwOsVe66P2G+90h7fqh236uNcZiHP4jllC0Z7exC0sbxI+8Oe6dAhfBA6q5rF 8l1NOmsDBLdQRj0FqS3MuDN0j1537yaLKGpNOxUSc7xg+Kxzo+pkoWWyyLe4H7krhkDv IMAAkbp/ZLMTtc+MDFHtJ8GwdKB03Scoc983M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:references:in-reply-to:to; bh=hNf+XqcTeJVk49L4gI7MIXUkqxfEeDhZFnfcVHOEEGk=; b=lz6FwJuf42WjdbwjrmLmIODseQmoWn6DRunrVrPLSLBNhStJJVR/0FXzXfPgT/g690 vEYNhYdSYUR/FDvmbvbl7m5qHncOxQ7Wrtb4zwZ+gQ012FITg8Q7mjsRBxfrR7B/VXFP HMUkGhX81RscyxUkpGqESEbwreVoE3ZBKySN5TIIMgrrnZ2jfTJZyPI8QfGj1E4oa61K 9akqD2LK+8ign/M6wmpxyi1ld5joCA4UP+N4Rfu2oQxCyyl8kHdnjnApM+VM+xVDRzc1 qsmnHq2vSw6TrMNPTbmhj266o8slppR1U1q5fiHB5SFsz2B3dRLLqrlFgwfPKhXUPIRx DZ+g==
X-Gm-Message-State: AEkoouv3PZJZ84423FKA2U0N3h5YbUO+9lXEcWnm9wbOs0dlJi4K7gVSqB+jDerDvYw80l9R
X-Received: by 10.67.7.170 with SMTP id dd10mr8058381pad.152.1471307681346; Mon, 15 Aug 2016 17:34:41 -0700 (PDT)
Received: from [21.247.131.253] ([172.56.31.144]) by smtp.gmail.com with ESMTPSA id 6sm34176990pab.11.2016.08.15.17.34.40 for <tls@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 15 Aug 2016 17:34:40 -0700 (PDT)
From: =?utf-8?Q?Bj=C3=B6rn_Tackmann?= <btackmann@eng.ucsd.edu>
Content-Type: multipart/alternative; boundary=Apple-Mail-A58C1E92-0F6D-4652-B0C2-56B2E1175353
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Message-Id: <8E4790D1-BAFC-4BED-9A52-99E8A76E84E0@eng.ucsd.edu>
Date: Mon, 15 Aug 2016 17:34:38 -0700
References: <CACsn0cm04Fjh+mvvOCP6WL=OzF6Q81cRtO7bzFSLJPVjpeBFvQ@mail.gmail.com> <CACsn0c=V8dKXd_HVhAQd5ONeqQvmk5AmcVdWjJ8kFNG3189Hzg@mail.gmail.com> <CACsn0c=euLYSZWSoHs-QJgDLL1_HbMXXO2zVUDaf84Cyp22GgQ@mail.gmail.com> <CACsn0ck49LWFuDhXGzoRDN2ufRFOgNVT1-Q_p_mxQRHJouTc0Q@mail.gmail.com> <CACsn0cmPgp8KRTRgU4aOvoEjfLkEp8wG8=Yj-_6AbnkDq_qR_Q@mail.gmail.com> <CACsn0cnrPCVto9Ye=zR1zWg7gC-0HGo6ztALkXgzpKcMVz0FoQ@mail.gmail.com> <CACsn0cmZ9Q+d6-7EUHJ-v-=hmK9yvFz_1fshAXnMRuwd2RQRFA@mail.gmail.com> <719DD3BC-83DD-4304-9C00-B72715A0FDA2@rhul.ac.uk>
In-Reply-To: <719DD3BC-83DD-4304-9C00-B72715A0FDA2@rhul.ac.uk>
To: "tls@ietf.org" <tls@ietf.org>
X-Mailer: iPhone Mail (13G35)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BkmZIs5uH0uHXN9JQwv6kVsTMsQ>
Subject: Re: [TLS] Randomization of nonces
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 00:34:43 -0000

I wanted to explain that on my final slide but then ran over time. It is discussed in the paper, though. Sorry for the confusion.

Best,
Bjoern


> On Aug 15, 2016, at 4:46 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote:
> 
> Sadly, you can't implement XGCM using an existing AES-GCM API, because of the way the MAC (which is keyed) is computed over the ciphertext in the standard GCM scheme. 
> 
> This does not contradict what you wrote, but may be a barrier to adoption. 
> 
> Cheers
> 
> Kenny
> 
> On 15 Aug 2016, at 16:40, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
>> Dear TLS list,
>> Sitting in Santa Barbara I have just learned that our nonce randomization does slightly better then GCM in the multiuser setting. However, XGCM would produce even better security.
>> 
>> XGCM is GCM with masking applied to blocks before and after each encryption. It can be implemented on top counter mode and GHASH easily.
>> 
>> As an alternative we could use 256 bit keys.
>> 
>> Sincerely,
>> Watson Ladd
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls