[TLS] Randomization of nonces

Watson Ladd <watsonbladd@gmail.com> Mon, 15 August 2016 23:40 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1169712D539 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2016 16:40:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqD_gP6viUyg for <tls@ietfa.amsl.com>; Mon, 15 Aug 2016 16:40:13 -0700 (PDT)
Received: from mail-ua0-x22e.google.com (mail-ua0-x22e.google.com [IPv6:2607:f8b0:400c:c08::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D69512D520 for <tls@ietf.org>; Mon, 15 Aug 2016 16:40:13 -0700 (PDT)
Received: by mail-ua0-x22e.google.com with SMTP id 97so96467249uav.3 for <tls@ietf.org>; Mon, 15 Aug 2016 16:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=02j9NdKLTApCB7xWMhZ6GvyO1+6B4H8l12xmQ9b6Jsk=; b=Io52Ze6Q+iS4UABY7rbcFaUTjqGxKiYF5P0ZzNymstU49iKZSl4OZysbmTWXOnTq8C 3G6yh4dkMfqneXbx2qJKJA3rXlmMCUNw7+nu6HNatTOIbKLfob8/SE/FQoCzpGSUTDTH YQjvOSIpasfHTmOYCguqa4mpjDqKtEfooBBSVA5IgWxWnv3W/qMxgxkxha2U7RTYNwz8 kkoXmPFx7YXw3ZTy3fZyzoxNdkztHc+2JKIgNd7r11tHVKmmZMDUkrWJ4qIPhJz/Ksz/ QoX+MOdlri03cmTM7P+WPn7d3Q3Yf/DGd+kI1aPVceyEAvXBevMw+LsqFF9TK3buG42C Lggw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=02j9NdKLTApCB7xWMhZ6GvyO1+6B4H8l12xmQ9b6Jsk=; b=UJmGV9C4ir6nYWSPKvx6JtfHX645Yz+MsucSza4V8MS9HW8Mmz5MEeOzoMj+HGK934 N8jrHIoEuu6oTxPIQ5NIt9ZXl4m2lYGVljLrnMLU/ZsmEk2PVX0t5nRmw3d1auorxyzS Qn8iyPY58x6otAxxBGtcrlcy2fV/8EqW0Ouimneh5EWKTLzgtWVHoljt6kYbhcD3k8gt 41i9J/WBelZBmw+F17xSTaRsIDfvpEqJpeeHLmmeRID+UEXIdMxR+/d9zhdigkSkHUlz sVhi5a2gJUKq0OGMn3AntcH8kJtezjerbA+HDu/+1Vlc5siPNz9hJAquzlw9l0ZPTzB3 jKYA==
X-Gm-Message-State: AEkooutd1o2QRrwLCuUMzy8ObdiqIl98LaN+BDalvT7XLfkp1DnbOQdU1sBvgkawEjUE/3dbhMEqNPIP0yJx8g==
X-Received: by 10.31.186.77 with SMTP id k74mr12856073vkf.26.1471304412419; Mon, 15 Aug 2016 16:40:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.1.209 with HTTP; Mon, 15 Aug 2016 16:40:11 -0700 (PDT)
Received: by 10.176.1.209 with HTTP; Mon, 15 Aug 2016 16:40:11 -0700 (PDT)
In-Reply-To: <CACsn0cnrPCVto9Ye=zR1zWg7gC-0HGo6ztALkXgzpKcMVz0FoQ@mail.gmail.com>
References: <CACsn0cm04Fjh+mvvOCP6WL=OzF6Q81cRtO7bzFSLJPVjpeBFvQ@mail.gmail.com> <CACsn0c=V8dKXd_HVhAQd5ONeqQvmk5AmcVdWjJ8kFNG3189Hzg@mail.gmail.com> <CACsn0c=euLYSZWSoHs-QJgDLL1_HbMXXO2zVUDaf84Cyp22GgQ@mail.gmail.com> <CACsn0ck49LWFuDhXGzoRDN2ufRFOgNVT1-Q_p_mxQRHJouTc0Q@mail.gmail.com> <CACsn0cmPgp8KRTRgU4aOvoEjfLkEp8wG8=Yj-_6AbnkDq_qR_Q@mail.gmail.com> <CACsn0cnrPCVto9Ye=zR1zWg7gC-0HGo6ztALkXgzpKcMVz0FoQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 15 Aug 2016 16:40:11 -0700
Message-ID: <CACsn0cmZ9Q+d6-7EUHJ-v-=hmK9yvFz_1fshAXnMRuwd2RQRFA@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary=001a1142f0e0dbddef053a24c0cc
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MM75gfC94oxmu7WF9ny1VtEFNi4>
Subject: [TLS] Randomization of nonces
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 23:40:15 -0000

Dear TLS list,
Sitting in Santa Barbara I have just learned that our nonce randomization
does slightly better then GCM in the multiuser setting. However, XGCM would
produce even better security.

XGCM is GCM with masking applied to blocks before and after each
encryption. It can be implemented on top counter mode and GHASH easily.

As an alternative we could use 256 bit keys.

Sincerely,
Watson Ladd