Re: [TLS] Randomization of nonces

Atul Luykx <Atul.Luykx@esat.kuleuven.be> Tue, 16 August 2016 14:26 UTC

Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A5F912D863 for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 07:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.447
X-Spam-Level:
X-Spam-Status: No, score=-5.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6p8PlCzaBFE for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 07:26:02 -0700 (PDT)
Received: from cavuit01.kulnet.kuleuven.be (rhcavuit01.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3826D12D861 for <tls@ietf.org>; Tue, 16 Aug 2016 07:25:59 -0700 (PDT)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: ADB811380B5.A182C
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-2.cc.kuleuven.be (icts-p-smtps-2e.kulnet.kuleuven.be [134.58.240.34]) by cavuit01.kulnet.kuleuven.be (Postfix) with ESMTP id ADB811380B5 for <tls@ietf.org>; Tue, 16 Aug 2016 16:25:54 +0200 (CEST)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-2.cc.kuleuven.be (Postfix) with ESMTP id AB7C02003B; Tue, 16 Aug 2016 16:25:54 +0200 (CEST)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id A93926002E; Tue, 16 Aug 2016 16:25:54 +0200 (CEST)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id A569B40; Tue, 16 Aug 2016 16:25:54 +0200 (CEST)
Received: from c-73-189-250-42.hsd1.ca.comcast.net ([73.189.250.42]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Tue, 16 Aug 2016 16:25:54 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 16 Aug 2016 07:25:54 -0700
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: Martin Thomson <martin.thomson@gmail.com>
In-Reply-To: <CABkgnnWQK-O1SVgjeL21Eu1fTAoegZvQF+z1wYTwFjgpop39GQ@mail.gmail.com>
References: <CACsn0cm04Fjh+mvvOCP6WL=OzF6Q81cRtO7bzFSLJPVjpeBFvQ@mail.gmail.com> <CACsn0c=V8dKXd_HVhAQd5ONeqQvmk5AmcVdWjJ8kFNG3189Hzg@mail.gmail.com> <CACsn0c=euLYSZWSoHs-QJgDLL1_HbMXXO2zVUDaf84Cyp22GgQ@mail.gmail.com> <CACsn0ck49LWFuDhXGzoRDN2ufRFOgNVT1-Q_p_mxQRHJouTc0Q@mail.gmail.com> <CACsn0cmPgp8KRTRgU4aOvoEjfLkEp8wG8=Yj-_6AbnkDq_qR_Q@mail.gmail.com> <CACsn0cnrPCVto9Ye=zR1zWg7gC-0HGo6ztALkXgzpKcMVz0FoQ@mail.gmail.com> <CACsn0cmZ9Q+d6-7EUHJ-v-=hmK9yvFz_1fshAXnMRuwd2RQRFA@mail.gmail.com> <719DD3BC-83DD-4304-9C00-B72715A0FDA2@rhul.ac.uk> <CABkgnnWQK-O1SVgjeL21Eu1fTAoegZvQF+z1wYTwFjgpop39GQ@mail.gmail.com>
Message-ID: <84368c1b9e42d9317bbc466f478e777c@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99.2 at cobalt
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Wcbd06ghoBRzG1My7tcANJLxKeM>
Cc: tls@ietf.org
Subject: Re: [TLS] Randomization of nonces
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 14:26:04 -0000

Right now I see no reason for this not to work. In fact if you XOR the 
tag as well, then every block cipher call looks similar to a DESX call, 
like in XCAU.

Atul

On 2016-08-15 21:56, Martin Thomson wrote:
> On 16 August 2016 at 09:46, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> 
> wrote:
>> Sadly, you can't implement XGCM using an existing AES-GCM API, because 
>> of
>> the way the MAC (which is keyed) is computed over the ciphertext in 
>> the
>> standard GCM scheme.
> 
> 
> Is there a reason why you can't simply XOR the plaintext stream that
> is fed to AES-GCM?
> 
> We set N = N XOR HKDF(IKM, salt, label[N], 12), which the paper shows
> improves things.  If we also set P = P XOR repeat(HKDF(IKM, salt,
> label[P], 16)) would we gain any of the advantages of XCAU?  That
> change could be made without needing a new algorithm.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls