Re: [TLS] Randomization of nonces

Atul Luykx <Atul.Luykx@esat.kuleuven.be> Tue, 16 August 2016 23:38 UTC

Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6F312D6A5 for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 16:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.447
X-Spam-Level:
X-Spam-Status: No, score=-5.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87m23ckGqneX for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 16:38:27 -0700 (PDT)
Received: from cavuit01.kulnet.kuleuven.be (rhcavuit01.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC45B12D179 for <tls@ietf.org>; Tue, 16 Aug 2016 16:38:26 -0700 (PDT)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: 4BECA13802C.A1A5D
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by cavuit01.kulnet.kuleuven.be (Postfix) with ESMTP id 4BECA13802C for <tls@ietf.org>; Wed, 17 Aug 2016 01:38:21 +0200 (CEST)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTP id 4896340AC; Wed, 17 Aug 2016 01:38:21 +0200 (CEST)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id 438BD6002E; Wed, 17 Aug 2016 01:38:21 +0200 (CEST)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id 3BDF140; Wed, 17 Aug 2016 01:38:21 +0200 (CEST)
Received: from 169-231-106-172.wireless.ucsb.edu ([169.231.106.172]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Wed, 17 Aug 2016 01:38:21 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 16 Aug 2016 16:38:21 -0700
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: Watson Ladd <watsonbladd@gmail.com>
In-Reply-To: <CACsn0cnbiLZ9ZsG3UW-FxRRtCm7gZbwz1XdMzZLWGMHuHaMecQ@mail.gmail.com>
References: <CACsn0cm04Fjh+mvvOCP6WL=OzF6Q81cRtO7bzFSLJPVjpeBFvQ@mail.gmail.com> <CACsn0c=V8dKXd_HVhAQd5ONeqQvmk5AmcVdWjJ8kFNG3189Hzg@mail.gmail.com> <CACsn0c=euLYSZWSoHs-QJgDLL1_HbMXXO2zVUDaf84Cyp22GgQ@mail.gmail.com> <CACsn0ck49LWFuDhXGzoRDN2ufRFOgNVT1-Q_p_mxQRHJouTc0Q@mail.gmail.com> <CACsn0cmPgp8KRTRgU4aOvoEjfLkEp8wG8=Yj-_6AbnkDq_qR_Q@mail.gmail.com> <CACsn0cnrPCVto9Ye=zR1zWg7gC-0HGo6ztALkXgzpKcMVz0FoQ@mail.gmail.com> <CACsn0cmZ9Q+d6-7EUHJ-v-=hmK9yvFz_1fshAXnMRuwd2RQRFA@mail.gmail.com> <719DD3BC-83DD-4304-9C00-B72715A0FDA2@rhul.ac.uk> <CABkgnnWQK-O1SVgjeL21Eu1fTAoegZvQF+z1wYTwFjgpop39GQ@mail.gmail.com> <CACsn0cnbiLZ9ZsG3UW-FxRRtCm7gZbwz1XdMzZLWGMHuHaMecQ@mail.gmail.com>
Message-ID: <bee84018060e49f6b321848c912471b1@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99.2 at cobalt
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SiGJWqJmKpyXyVc6TQQcCg1Uajo>
Cc: tls@ietf.org
Subject: Re: [TLS] Randomization of nonces
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 23:38:30 -0000

On 2016-08-16 07:51, Watson Ladd wrote:
> On Mon, Aug 15, 2016 at 9:56 PM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
>> On 16 August 2016 at 09:46, Paterson, Kenny 
>> <Kenny.Paterson@rhul.ac.uk> wrote:
>>> Sadly, you can't implement XGCM using an existing AES-GCM API, 
>>> because of
>>> the way the MAC (which is keyed) is computed over the ciphertext in 
>>> the
>>> standard GCM scheme.
>> 
>> 
>> Is there a reason why you can't simply XOR the plaintext stream that
>> is fed to AES-GCM?
>> 
>> We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows
>> improves things.  If we also set P = P XOR repeat(HKDF(IKM, salt,
>> label[P], 16)) would we gain any of the advantages of XCAU?  That
>> change could be made without needing a new algorithm.
> 
> Yes. XOR two adjacent blocks, and you get something that is a function
> purely of the key.

This is true if N XOR L is made public (where L is the secret value). As 
long as N XOR L is only used for encryption, and N is the value 
communicated, then it isn't possible to get a function purely of the key 
by XORing two adjacent ciphertext blocks, since the block cipher inputs 
will depend on L.

Atul